CVE-2018-15587: Signature Spoofing in PGP encrypted email

Debian Bug report logs - #924616
CVE-2018-15587: Signature Spoofing in PGP encrypted email

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-15587

Date: Thu, 14 Mar 2019 23:18:39 +0100

Source: evolution
Severity: grave
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587:

https://bugzilla.gnome.org/show_bug.cgi?id=796424
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85

Cheers,
        Moritz
   

Message #14 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@debian.org>

To: 924616@bugs.debian.org

Subject: Re: CVE-2018-15587

Date: Sun, 07 Apr 2019 14:07:50 +0200

Hi,

at the Salzburg BSP I was looking at this report,

On Thu, 14 Mar 2019 23:18:39 +0100 Moritz Muehlenhoff <jmm@debian.org>
wrote:
> Source: evolution
> Severity: grave
> Tags: security
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587:
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=796424
> 
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21

https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85

I was triaging into it, but unfortunatly cannot solve it...

Summary:
The second patch seems to be already applied, but the first one seems
not to be... However, I'm not sure if it does the trick as the speciem
attached to the forwarded bug shows still up as "verified"...


> 
> Cheers,
>         Moritz
>    
> 
> 

Message #21 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: 924616@bugs.debian.org

Cc: Tobias Frost <tobi@debian.org>

Subject: Re: CVE-2018-15587

Date: Tue, 23 Apr 2019 15:32:41 +0200

[Message part 1 (text/plain, inline)]

Hello,

Tobias Frost <tobi@debian.org> wrote:
> On Thu, 14 Mar 2019 23:18:39 +0100 Moritz Muehlenhoff <jmm@debian.org>
> wrote:
> > Source: evolution
> > Severity: grave
> > Tags: security
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587:
> >
> > https://bugzilla.gnome.org/show_bug.cgi?id=796424
> >
>
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
>
>
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85
>
> I was triaging into it, but unfortunatly cannot solve it...
>
> Summary:
> The second patch seems to be already applied, but the first one seems
> not to be... However, I'm not sure if it does the trick as the speciem
> attached to the forwarded bug shows still up as "verified"...
while working on this issue for Jessie LTS, I prepared a simple NMU
patch to fix the issue in evolution 3.30.5-1 from testing/buster.

Tobias is right that only 9c55a311325f5905d8b8403b96607e46cf343f21 is
missing for evolution, the other relevant commits are already in the
testing/buster version of evolution (3.30.5-1).

It turned out that the upstream commit applies cleanly to 3.30.5-1. I
did some smoke testing and the result was as expected: the security
header with information about encryption/signature of the message moved
above the headers section of the mail.

I opened a merge request[1] on salsa with a patch. I had to merge tag
debian/3.30.5-1 into the debian/buster branch first as it was out of date.
Anybody from the Debian Gnome Team ho wants to do the upload? Otherwise
I could as well do the NMU.

Cheers
 jonas

PS: All related commits for evolution-data-server[2] are already in the
Buster version of evolution-data-server.

[1] https://salsa.debian.org/gnome-team/evolution/merge_requests/1
[2]
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a296c64b48d12c356804f131048643eaa0a


https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e2415681565e4dac00cf1c4303c313ad29e


https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5cd59aee67450e8750eb3cb2d357d0947f199f61

[signature.asc (application/pgp-signature, attachment)]

Message #26 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: debian-lts@lists.debian.org

Cc: 924616@bugs.debian.org

Subject: RFT and RFC: Updates for evolution{,-data-server}

Date: Wed, 24 Apr 2019 11:08:44 +0200

[Message part 1 (text/plain, inline)]

Hello,

The last days, I spent quite some hours on backporting and debugging
patches for CVE-2018-15587 (Signature Spoofing in PGP encrypted email)
to evolution and evolution-data-server packages for Jessie LTS.	

One problem is that the scope of CVE-2018-15587 is a bit blurry. While
the CVE description speaks specifically about the possibility to craft
emails in a way that they spuriously appear to be *signed* - a
vulnerability that got revealed in the aftermath of SigSpoof - the
corresponding bugreports link to several related OpenPGP weaknesses in
evolution{-data-server}.

E.g., our security tracker additionally links[1] to the upstream bugs
"[GPG] Mails that are not encrypted look encrypted"[2] and "Sometimes
fails to properly decrypt large GPG encrypted messages"[3].

[1] https://security-tracker.debian.org/tracker/CVE-2018-15587
[2] https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3
[3] https://gitlab.gnome.org/GNOME/evolution-data-server/issues/75

I now have a working version of evolution - at least I tested it
thoroughly. It has both the signature spoofing and encryption spoofing
bugs fixed. You can find amd64 builds of the packages in my personal
repository[4], further testing much appreciated.

[4] https://people.debian.org/~mejo/debian/jessie-security/

With evolution-data-server, the situation is slightly more complicated.
I'm still debugging issues with the patches[5] that are supposed to fix
the "[GPG] Mails that are not encrypted look encrypted" issue.

[5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24

My question: do you agree that these fixes are within the scope of
CVE-2018-15587? If so, then I will continue working on the issue and
upload both of evolution and evolution-data-server in a batch once I got
the issues sorted out.

Another option would be to upload evolution to jessie-security right now
and decide that evolution-data-server is not affected by CVE-2018-15587,
since it's only prone to "encrypted message spoofing", not to "signature
spoofing". But in my eyes, that would be a sham.

Another problem is that I'm already five hours over my allocated LTS
time for April. I'm fine with doing some extra volunteer work on the
issue though.

Cheers
 jonas

[signature.asc (application/pgp-signature, attachment)]

Message #31 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: debian-lts@lists.debian.org

Cc: 924616@bugs.debian.org

Subject: Re: RFT and RFC: Updates for evolution{,-data-server}

Date: Wed, 24 Apr 2019 12:56:18 +0200

[Message part 1 (text/plain, inline)]

Jonas Meurer:
> With evolution-data-server, the situation is slightly more complicated.
> I'm still debugging issues with the patches[5] that are supposed to fix
> the "[GPG] Mails that are not encrypted look encrypted" issue.
> 
> [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
> and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24
> 
> My question: do you agree that these fixes are within the scope of
> CVE-2018-15587? If so, then I will continue working on the issue and
> upload both of evolution and evolution-data-server in a batch once I got
> the issues sorted out.
> 
> Another option would be to upload evolution to jessie-security right now
> and decide that evolution-data-server is not affected by CVE-2018-15587,
> since it's only prone to "encrypted message spoofing", not to "signature
> spoofing". But in my eyes, that would be a sham.

Looking more into the core issue[1] of "[GPG] Mails that are not
encrypted look encrypted", it became clear that a lot of applications
(GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as
security issue for any of them.

In fact it's tracked for evolution{,-data-server} in the debian security
tracker only because the issue is mentioned in the CVE-2018-15587
bugreport[5].

Besides, I agree with the bug author that "this bug is certainly not in
the same category as a serious security vulnerability, such as a
plaintext leak or a signature spoof"[1].

So I changed my mind and decided to ignore the "encryption spoofing" bug
and only care about "signature spoofing". This means that
evolution-data-server is unaffected and only evolution needs to be fixed.

Cheers
 jonas

[1] https://neopg.io/blog/encryption-spoof/
[2] https://dev.gnupg.org/T4000
[3] https://sourceforge.net/p/enigmail/bugs/854/
[4] https://gitlab.com/muttmua/mutt/issues/39
[5] https://gitlab.gnome.org/GNOME/evolution/issues/120

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Jonas Meurer <jonas@freesources.org>

Cc: debian-lts@lists.debian.org, 924616@bugs.debian.org

Subject: Re: RFT and RFC: Updates for evolution{,-data-server}

Date: Wed, 24 Apr 2019 19:19:33 +0000

[Message part 1 (text/plain, inline)]

Hi Jonas,

On  Mi 24 Apr 2019 12:56:18 CEST, Jonas Meurer wrote:

> Jonas Meurer:
>> With evolution-data-server, the situation is slightly more complicated.
>> I'm still debugging issues with the patches[5] that are supposed to fix
>> the "[GPG] Mails that are not encrypted look encrypted" issue.
>>
>> [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
>> and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24
>>
>> My question: do you agree that these fixes are within the scope of
>> CVE-2018-15587? If so, then I will continue working on the issue and
>> upload both of evolution and evolution-data-server in a batch once I got
>> the issues sorted out.
>>
>> Another option would be to upload evolution to jessie-security right now
>> and decide that evolution-data-server is not affected by CVE-2018-15587,
>> since it's only prone to "encrypted message spoofing", not to "signature
>> spoofing". But in my eyes, that would be a sham.
>
> Looking more into the core issue[1] of "[GPG] Mails that are not
> encrypted look encrypted", it became clear that a lot of applications
> (GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as
> security issue for any of them.

Is it required to coordinate an according update of those CVEs in  
data/CVE/list with the security team? Sounds like it.

> In fact it's tracked for evolution{,-data-server} in the debian security
> tracker only because the issue is mentioned in the CVE-2018-15587
> bugreport[5].
>
> Besides, I agree with the bug author that "this bug is certainly not in
> the same category as a serious security vulnerability, such as a
> plaintext leak or a signature spoof"[1].
>
> So I changed my mind and decided to ignore the "encryption spoofing" bug
> and only care about "signature spoofing". This means that
> evolution-data-server is unaffected and only evolution needs to be fixed.

Your choice of priority sounds good to me.

Mike


-- 

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #41 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jonas Meurer <jonas@freesources.org>, 924616@bugs.debian.org

Cc: debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#924616: RFT and RFC: Updates for evolution{,-data-server}

Date: Thu, 25 Apr 2019 13:09:34 +0200

Hi Jonas

[Adding security team alias, as debian-lts is not followed
automatically]

On Wed, Apr 24, 2019 at 11:08:44AM +0200, Jonas Meurer wrote:
> Hello,
> 
> The last days, I spent quite some hours on backporting and debugging
> patches for CVE-2018-15587 (Signature Spoofing in PGP encrypted email)
> to evolution and evolution-data-server packages for Jessie LTS.	
> 
> One problem is that the scope of CVE-2018-15587 is a bit blurry. While
> the CVE description speaks specifically about the possibility to craft
> emails in a way that they spuriously appear to be *signed* - a
> vulnerability that got revealed in the aftermath of SigSpoof - the
> corresponding bugreports link to several related OpenPGP weaknesses in
> evolution{-data-server}.
[...]

You are right that the CVE is specifically for the signature spoofing
issue. It's still not fully clear, but I think it is best to stick to
that. This is the reason I yesterday reverted my previous f6f251cff480
("Track evolution-data-server under CVE-2018-15587 and add upstream
references")[1] following the reasoning, in 34c907a0fb48[2] ("Do not
track evolution-data-server under CVE-2018-15587").

 [1]  https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6f251cff4801a452acddc3256bbb77e8e4050b8
 [2]  https://salsa.debian.org/security-tracker-team/security-tracker/commit/34c907a0fb48667022f6b16fef327318a8f1ada8

If at all, but I expect not at the moment, the issues related to
emails to appear to be encrypted issue, will recieve a CVE we can
start track those in the tracker. As well for the other source
packages if they arise.

OTOH at least some other distros seem to relate the CVE to the
secondary issues as well. But I think the strict interpetation of the
CVE assignment is as you outlined.

Regards,
Salvatore

Message #48 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: debian-lts@lists.debian.org, 924616@bugs.debian.org

Subject: Re: RFT and RFC: Updates for evolution{,-data-server}

Date: Fri, 26 Apr 2019 20:46:32 +0200

[Message part 1 (text/plain, inline)]

Hi Mike,

Mike Gabriel:
> On  Mi 24 Apr 2019 12:56:18 CEST, Jonas Meurer wrote:
> 
>> Jonas Meurer:
>>> With evolution-data-server, the situation is slightly more complicated.
>>> I'm still debugging issues with the patches[5] that are supposed to fix
>>> the "[GPG] Mails that are not encrypted look encrypted" issue.
>>>
>>> [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
>>> and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24
>>>
>>> My question: do you agree that these fixes are within the scope of
>>> CVE-2018-15587? If so, then I will continue working on the issue and
>>> upload both of evolution and evolution-data-server in a batch once I got
>>> the issues sorted out.
>>>
>>> Another option would be to upload evolution to jessie-security right now
>>> and decide that evolution-data-server is not affected by CVE-2018-15587,
>>> since it's only prone to "encrypted message spoofing", not to "signature
>>> spoofing". But in my eyes, that would be a sham.
>>
>> Looking more into the core issue[1] of "[GPG] Mails that are not
>> encrypted look encrypted", it became clear that a lot of applications
>> (GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as
>> security issue for any of them.
> 
> Is it required to coordinate an according update of those CVEs in
> data/CVE/list with the security team? Sounds like it.

Yep, you're correct. The Security Team is in the loop now and basically
agrees with my evaluation.

>> In fact it's tracked for evolution{,-data-server} in the debian security
>> tracker only because the issue is mentioned in the CVE-2018-15587
>> bugreport[5].
>>
>> Besides, I agree with the bug author that "this bug is certainly not in
>> the same category as a serious security vulnerability, such as a
>> plaintext leak or a signature spoof"[1].
>>
>> So I changed my mind and decided to ignore the "encryption spoofing" bug
>> and only care about "signature spoofing". This means that
>> evolution-data-server is unaffected and only evolution needs to be fixed.
> 
> Your choice of priority sounds good to me.

Thanks a lot for your comments! I just went ahead and uploaded a fixed
evolution to jessie-security. I also consequently removed
evolution-data-server from data/dla-needed.txt.

Cheers
 jonas

[signature.asc (application/pgp-signature, attachment)]

Message #53 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 924616@bugs.debian.org, Jonas Meurer <jonas@freesources.org>

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#924616: CVE-2018-15587

Date: Wed, 29 May 2019 06:59:10 +0200

Hi Jonas, hi Evolution maintainers,

What is the status here for buster?

Regards,
Salvatore

Message #58 received at 924616@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 924616@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#924616: CVE-2018-15587

Date: Tue, 4 Jun 2019 12:30:30 +0200

[Message part 1 (text/plain, inline)]

Hi Salvatore, hi Evolution maintainers,

Salvatore Bonaccorso:
> Hi Jonas, hi Evolution maintainers,
> 
> What is the status here for buster?

Thanks for prodding :)

I'll take care of this via NMU during MiniDebCamp in Hamburg (this week)
if nobody objects.

Cheers
 jonas

[signature.asc (application/pgp-signature, attachment)]

Message #63 received at 924616-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: 924616-close@bugs.debian.org

Subject: Bug#924616: fixed in evolution 3.30.5-1.1

Date: Wed, 05 Jun 2019 17:33:40 +0000

Source: evolution
Source-Version: 3.30.5-1.1

We believe that the bug you reported is fixed in the latest version of
evolution, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924616@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <jonas@freesources.org> (supplier of updated evolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Jun 2019 14:31:36 +0200
Source: evolution
Architecture: source
Version: 3.30.5-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Meurer <jonas@freesources.org>
Closes: 924616
Changes:
 evolution (3.30.5-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2018-15587: backport patch to mitigate possible signature/encryption:
     Show security bar above message headers. (Closes: #924616)
Checksums-Sha1:
 40a4da8c6ae43a70483b0eaadbb27e4adb407a49 3803 evolution_3.30.5-1.1.dsc
 8e7703b0177e660226597b196156c24c8cab4d12 37676 evolution_3.30.5-1.1.debian.tar.xz
 a093941aac5c0b5b28bc87c4f64d3178383abebb 26969 evolution_3.30.5-1.1_amd64.buildinfo
Checksums-Sha256:
 fbe51c304c0747d8d8979a497ce8c30b631a0b618c2c8aff4d1965dcc0f0f246 3803 evolution_3.30.5-1.1.dsc
 bb0dfab835329074cd7ec0aad82b2c3ead344737065bfd291920d57aaec6cf85 37676 evolution_3.30.5-1.1.debian.tar.xz
 30f4ec6058c8656987c91526960ef9cbf732c50d541c86830611fc05e01e8575 26969 evolution_3.30.5-1.1_amd64.buildinfo
Files:
 2fdd94a64c01540a0924ae0b6a92bc4c 3803 gnome optional evolution_3.30.5-1.1.dsc
 881114371458bed4a6b997c66057dfa6 37676 gnome optional evolution_3.30.5-1.1.debian.tar.xz
 5b15673ca4e71ce6c79cacb5c6e2fb2f 26969 gnome optional evolution_3.30.5-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlz3+PsACgkQUmLn/0kQ
Sf5xJw/+JWPrngT7kZ1rbgE8EI1AxBkE55NlfCtN/ChSPNyPbLN8dItFEPR3JNEY
Qe0r2+bNQxcwqTLrzWMyS8blynhVA8pbPEZfkDeT30LzfLr3tmaJsIadGg5P8DA7
BU8ykDsgrMjWnyCzdTykq/KzDlfemVk0XI//oFL1XeGfchejRWm0nkev2/M0w5/F
813Ze9SOqWv5QWZqmCPYdJhpjY/YDTLCX3euzopCaL5jHiwLrA9icC3kNZBJH+rv
kY+Vh9RlXEahwsz0/6aLsbxyqMVhcItZRGkexMuUMTbkUqt63UfLBorJVk8mvN4w
T4S6E19umX+Kg0ocVlblVTixEv6prjkKtVRKZ7q2Cd9BH5DNQeRLbL0Nz2nVlDG6
Tj7TYuGYGfOi/UEsQ6ZN1iPtGvEwM2vXnSLK2fFKZ4gHkr20fOu3RMajG4tdKLp+
tlXUSdwxhIMpwmJyz69YWoh+gb8U0IxljH5/GVgB52S+NeNw+jAZcI6b6ikVI1fu
1osfVEmKuG1ljuEmSx3T57y2RlHEKUkBcuclOtkJ5/CflosCtj1tNiPKmwd/Ff/h
zMKx47xmT7cntfG7+8qVYPgH7vk2jd+N1GyoXQlEPgVZUC3uiYU1FdAZlQgnxfI5
QoFQgf30UD9lHzxwmhdYwfiHCmmWcSON9oLsQu4nOwY2MD0TS1s=
=snRd
-----END PGP SIGNATURE-----

Message #68 received at 924616-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: 924616-close@bugs.debian.org

Subject: Bug#924616: fixed in evolution 3.22.6-1+deb9u2

Date: Fri, 07 Jun 2019 10:02:09 +0000

Source: evolution
Source-Version: 3.22.6-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
evolution, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924616@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <jonas@freesources.org> (supplier of updated evolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 06 Jun 2019 13:03:50 +0200
Source: evolution
Binary: evolution libevolution evolution-common evolution-dev evolution-plugins evolution-plugins-experimental
Architecture: source all amd64
Version: 3.22.6-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Evolution Maintainers <pkg-evolution-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Meurer <jonas@freesources.org>
Description:
 evolution  - groupware suite with mail client and organizer
 evolution-common - architecture independent files for Evolution
 evolution-dev - development library files for Evolution
 evolution-plugins - standard plugins for Evolution
 evolution-plugins-experimental - experimental plugins for Evolution
 libevolution - evolution libraries
Closes: 924616
Changes:
 evolution (3.22.6-1+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-15587: backport patches to mitigate possible signature/encryption
     spoofing in PGP encrypted mail. (Closes: #924616)
     + [GPG] Mails that are not encrypted look encrypted
     + Show security bar above message headers
Checksums-Sha1:
 a28b412bfc6c3491ebdf98568c7feb48e9b1ca4f 3758 evolution_3.22.6-1+deb9u2.dsc
 797aa0a263e5f92079e20d3f5e9aa52dc58baccf 12288232 evolution_3.22.6.orig.tar.xz
 a12d69423ed81144ea16f4d5fdc51ed039bbe6e2 37840 evolution_3.22.6-1+deb9u2.debian.tar.xz
 a02c4ef493fb9371c5cbc5d2b2543d87504bfb9f 7429538 evolution-common_3.22.6-1+deb9u2_all.deb
 0840dd68b26ebdaddf6c15eb16bc1beea6e32dbf 106456 evolution-dbgsym_3.22.6-1+deb9u2_amd64.deb
 b9e13e82316d842c00464cacd94a1f959699258f 596080 evolution-dev_3.22.6-1+deb9u2_amd64.deb
 971ab01dcfd30cf42132a610bcfc5e180d8ddf9c 385742 evolution-plugins-dbgsym_3.22.6-1+deb9u2_amd64.deb
 40c1ba6564e2824792345a40e44f87df9dca1e48 18508 evolution-plugins-experimental-dbgsym_3.22.6-1+deb9u2_amd64.deb
 31ff36d0ab3edfd06ccf73b9b99acc3a0a8ac9a7 39158 evolution-plugins-experimental_3.22.6-1+deb9u2_amd64.deb
 a26c269491dd4f7e91f1efe743466ba67559c0ab 122676 evolution-plugins_3.22.6-1+deb9u2_amd64.deb
 a6622c35a2aaa7f79b21525db3973c640ea6651f 23599 evolution_3.22.6-1+deb9u2_amd64.buildinfo
 04af3b0d956ea2ad6d27bfe075a2fc6d9b1b3f2d 284912 evolution_3.22.6-1+deb9u2_amd64.deb
 ad39811c71f640c5f4f6f535224c2c4c61e6d4bd 12667936 libevolution-dbgsym_3.22.6-1+deb9u2_amd64.deb
 966dbdfe4ee125f605e5b9c1f69941cee33cdd15 2347066 libevolution_3.22.6-1+deb9u2_amd64.deb
Checksums-Sha256:
 a17e7ec9067a2d5b534ef00b8616383b9b9e11b9281ea29c3c0798f73a3ac34f 3758 evolution_3.22.6-1+deb9u2.dsc
 9f4be4a1d5ee4d5eb9b132cf751ba3afc833025aa6dc7baa1f9483489d8a943e 12288232 evolution_3.22.6.orig.tar.xz
 4f1e8bce9cfa828b6314d4f3a3d0c5261ad91465766511e0efc6c612c66fec61 37840 evolution_3.22.6-1+deb9u2.debian.tar.xz
 7fb06d6bab4e6d81cd4df9ad447cccc456f0b460d57ffe41f0dbf9df22454fc6 7429538 evolution-common_3.22.6-1+deb9u2_all.deb
 2493c7609d564255d04a0e277fe92d4784b910bce8a1bb4aee69ba2845b03beb 106456 evolution-dbgsym_3.22.6-1+deb9u2_amd64.deb
 e5d7147f2f315a1dd00f72b726bcf70339924b89c156252622e9cbb5eb18ffb1 596080 evolution-dev_3.22.6-1+deb9u2_amd64.deb
 edcdbc8d26788d70a7661e611d3557168224246767ea6bf0f5672744d521c5c1 385742 evolution-plugins-dbgsym_3.22.6-1+deb9u2_amd64.deb
 b24bb01a16caad9b84b222a86b09d6a7dc1b91f45662affe359270b0ba81ddf8 18508 evolution-plugins-experimental-dbgsym_3.22.6-1+deb9u2_amd64.deb
 814018d997cf054442cf928aad6f68dc5727a528f288ede558d43e32e2f0ec84 39158 evolution-plugins-experimental_3.22.6-1+deb9u2_amd64.deb
 7ed339ee82d2825809a83495f998adeb88cd88fbc82ce47f60384b6a3c859d96 122676 evolution-plugins_3.22.6-1+deb9u2_amd64.deb
 d76a017eaa67eab97bc8c7ea0174798434375310357d0075aa43a3ff4e420e82 23599 evolution_3.22.6-1+deb9u2_amd64.buildinfo
 c87d6820eb29d580b21131ba7486d2608847c6e9fd5cec08f69777c07747aa48 284912 evolution_3.22.6-1+deb9u2_amd64.deb
 09437cdece9422a6b6dec94bd6c3f018eb7acf66af48d88ba78becd2caecca66 12667936 libevolution-dbgsym_3.22.6-1+deb9u2_amd64.deb
 152068aec6a5ede7ec2d44563258840dd3e9b25edd1cd83660ad5ac2a25af764 2347066 libevolution_3.22.6-1+deb9u2_amd64.deb
Files:
 0eb7533b2201a6e321905b8599716f35 3758 gnome optional evolution_3.22.6-1+deb9u2.dsc
 0b839838df678bc6e50b41059856fadb 12288232 gnome optional evolution_3.22.6.orig.tar.xz
 f97c2f7a5b4d02046671f6f197312a8c 37840 gnome optional evolution_3.22.6-1+deb9u2.debian.tar.xz
 0ca5323de40177114c38aea696d47e6d 7429538 gnome optional evolution-common_3.22.6-1+deb9u2_all.deb
 840c863de11895971ceed338ab84c560 106456 debug extra evolution-dbgsym_3.22.6-1+deb9u2_amd64.deb
 7cca63950bb2595d6da7f894a57d5624 596080 devel optional evolution-dev_3.22.6-1+deb9u2_amd64.deb
 c4ade26e4b2279b3ff485179b1d887c2 385742 debug extra evolution-plugins-dbgsym_3.22.6-1+deb9u2_amd64.deb
 88c455494c28242bbcd22acacb44e3a3 18508 debug extra evolution-plugins-experimental-dbgsym_3.22.6-1+deb9u2_amd64.deb
 f25f23e6983b0d68ff70eeb22ad8b69b 39158 gnome optional evolution-plugins-experimental_3.22.6-1+deb9u2_amd64.deb
 63f42a8993fcacee8d3101a14bb71a22 122676 gnome optional evolution-plugins_3.22.6-1+deb9u2_amd64.deb
 b3918be0a58b569cc6ce02db256999d4 23599 gnome optional evolution_3.22.6-1+deb9u2_amd64.buildinfo
 47a96b43daf24197af8a0bf5d764d4c1 284912 gnome optional evolution_3.22.6-1+deb9u2_amd64.deb
 81021c0ffb29a3aace65f3a624ef7e1d 12667936 debug extra libevolution-dbgsym_3.22.6-1+deb9u2_amd64.deb
 2e858e8c266bc1bf2d0cf997af8fa470 2347066 libs optional libevolution_3.22.6-1+deb9u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlz5VK8ACgkQUmLn/0kQ
Sf5c5Q//T19lEGbrGpXQmrn00XMCUZiao+HgT3hY2T82tNPaC+vZZTQg+U2575Fb
H874Xd+UfFU9wWfdO9FRxXQDc8jOHh+nT1+W89kKPQcTm9nGRNGxs7oJuBiZozcp
0zPDtsFt10Sza5BKngnXZM3eYTyBItRs6yfi8JiwLJxfn+N38MDnXiPZJjqch7bN
fsJt00TWX1cNOMRAvnMISJdK86BGEgjlZejMRxsg50BL+ZTLCXemJA439nNHdej9
zIr8PU0vhJE9kWSzx9n6MKsxtWlljcJRre+Wl9qAZcehfpf3kTNVV7Mqkaqrnk5A
A4NilSToZLR1qgya1pKpy/kxaq9xeMZWav5K+isbm6FDEk6ovZB2g+vngCoez1h0
CCDqGJyUa6kTQUFtQNdcYDco7p9aZ//lPFMGp3ebVUd1fgwVFpNgJOh0PFTV2JGH
iQu+R9dnlb7qZnpFzOFehySWlQcKXNoxKIv1IYvaIHRmmMPZZvRzReiIyxkhwqU0
LT3f80MG5XKrWkSyIQyn7sOunLybfamH6AMEbZMs/zGnUPcBxW+ibIJW9ose8htt
3eJzJSoqfhgGtu+5/ZYrWYIUV9p0amNCq+RteHJLvmFniNV6hl5o3dR7m/YhMpAn
Erm/pjJdcyw5DqsN4NruAY+IVZkEPzAuNAV33Hib6GsS0PvvSIs=
=JvEw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.