CVE-2018-15587 : Debian has Released Security Update for evolution

Debian has released security update for evolution package.

This release fixes vulnerability against evolution package.

Date Reported: 14-Mar-2019

Fix Released On: 07-June-2019

Severity Level: Medium

Affected Packages: evolution

Affected Operating System & Version:

  • Debian 8 (Jessie)
  • Debian 9 (Stretch)

Details:

Hanno Bock discovered that Evolution was vulnerable to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted HTML email. This issue was mitigated by moving the security bar with encryption and signature information above the message headers.

It’s recommended to update the evolution package ASAP.

For more details about the security issues, and other related information, refer to the CVE pages.

Debian Security Advisory References:

Security Database References (CVE):

Solution:

  • These issue have been fixed on Debian 9 (Stretch) in version 3.22.6-1+deb9u2.
  • These issue have been fixed on Debian 8 (Jessie) in version 3.12.9~git20141130.241663-1+deb8u1.

Run the following command to install the above updates.

$ sudo apt install --only-upgrade evolution
or
$ sudo apt-install unattended-upgrades

The installed security fixes can be verified in the package change log using the following methods.

Using manual method.

$ zgrep -i "CVE-2018-15587" /usr/share/doc/evolution/changelog.Debian.gz

Using debsecan command.

$ debsecan | grep CVE-2018-15587

Leave a Reply

Your email address will not be published. Required fields are marked *