Debian has released security update for evolution package.
This release fixes vulnerability against evolution package.
Date Reported: 14-Mar-2019
Fix Released On: 07-June-2019
Severity Level: Medium
Affected Packages: evolution
Affected Operating System & Version:
- Debian 8 (Jessie)
- Debian 9 (Stretch)
Details:
Hanno Bock discovered that Evolution was vulnerable to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted HTML email. This issue was mitigated by moving the security bar with encryption and signature information above the message headers.
It’s recommended to update the evolution package ASAP.
For more details about the security issues, and other related information, refer to the CVE pages.
Debian Security Advisory References:
Security Database References (CVE):
Solution:
- These issue have been fixed on Debian 9 (Stretch) in version 3.22.6-1+deb9u2.
- These issue have been fixed on Debian 8 (Jessie) in version 3.12.9~git20141130.241663-1+deb8u1.
Run the following command to install the above updates.
$ sudo apt install --only-upgrade evolution or $ sudo apt-install unattended-upgrades
The installed security fixes can be verified in the package change log using the following methods.
Using manual method.
$ zgrep -i "CVE-2018-15587" /usr/share/doc/evolution/changelog.Debian.gz
Using debsecan command.
$ debsecan | grep CVE-2018-15587
