- ---------------------------------------------------------------------                   Red Hat Security Advisory

Synopsis:          Moderate: evolution-data-server security update
Advisory ID:       RHSA-2007:0344-01
Advisory URL:      https://access.redhat.com/errata/RHSA-2007:0344.html
Issue date:        2007-05-30
Updated on:        2007-05-30
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-1558 
- ---------------------------------------------------------------------1. Summary:

Updated evolution-data-server package that fixes a security bug are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

The evolution-data-server package provides a unified backend for programs
that work with contacts, tasks, and calendar information.

A flaw was found in the way evolution-data-server processed certain APOP
authentication requests. By sending certain responses when
evolution-data-server attempted to authenticate against an APOP server, a
remote attacker could potentially acquire certain portions of a user's
authentication credentials. (CVE-2007-1558)

All users of evolution-data-server should upgrade to these updated
packages, which contain a backported patch which resolves this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at

5. Bug IDs fixed (http://bugzilla.redhat.com/):

235289 - CVE-2007-1558 Evolution APOP information disclosure

6. RPMs required:

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
2dc38ea8fd12a3654ddf4bd36dd3f0c8  evolution-data-server-1.8.0-15.0.3.el5.src.rpm

i386:
12a37eee5ad4c2a982eebefd8b2d5686  evolution-data-server-1.8.0-15.0.3.el5.i386.rpm
f763fab632e616cd201ca80e9f54010c  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.i386.rpm

x86_64:
12a37eee5ad4c2a982eebefd8b2d5686  evolution-data-server-1.8.0-15.0.3.el5.i386.rpm
e9049a57a4a46768187c942d09ed18e1  evolution-data-server-1.8.0-15.0.3.el5.x86_64.rpm
f763fab632e616cd201ca80e9f54010c  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.i386.rpm
7f6536db1f877c1b4f7c741fa0d39205  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
2dc38ea8fd12a3654ddf4bd36dd3f0c8  evolution-data-server-1.8.0-15.0.3.el5.src.rpm

i386:
f763fab632e616cd201ca80e9f54010c  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.i386.rpm
85d93f27c86928de6a3e861f3c9dc68c  evolution-data-server-devel-1.8.0-15.0.3.el5.i386.rpm

x86_64:
f763fab632e616cd201ca80e9f54010c  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.i386.rpm
7f6536db1f877c1b4f7c741fa0d39205  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.x86_64.rpm
85d93f27c86928de6a3e861f3c9dc68c  evolution-data-server-devel-1.8.0-15.0.3.el5.i386.rpm
89bff966c9bec550c442038a2028135c  evolution-data-server-devel-1.8.0-15.0.3.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
2dc38ea8fd12a3654ddf4bd36dd3f0c8  evolution-data-server-1.8.0-15.0.3.el5.src.rpm

i386:
12a37eee5ad4c2a982eebefd8b2d5686  evolution-data-server-1.8.0-15.0.3.el5.i386.rpm
f763fab632e616cd201ca80e9f54010c  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.i386.rpm
85d93f27c86928de6a3e861f3c9dc68c  evolution-data-server-devel-1.8.0-15.0.3.el5.i386.rpm

ia64:
6ba76e70eb9826231d246797ab6b21c7  evolution-data-server-1.8.0-15.0.3.el5.ia64.rpm
da4300ef017ecd2c01853894b47b2e6b  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.ia64.rpm
2662f80f6af03a05e2d064b2ace99c24  evolution-data-server-devel-1.8.0-15.0.3.el5.ia64.rpm

ppc:
4539079a11bca9401812c12d59ceb6e1  evolution-data-server-1.8.0-15.0.3.el5.ppc.rpm
77b4f4f8897286bc0d10d51e32838572  evolution-data-server-1.8.0-15.0.3.el5.ppc64.rpm
4b37d2c9d8512fda671864484d550833  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.ppc.rpm
28cb1a7aad5d3be6adfe3e09009ddbb5  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.ppc64.rpm
179b33eab82f94e18069641ae5c252aa  evolution-data-server-devel-1.8.0-15.0.3.el5.ppc.rpm
54367c5a72247c9acc6663e164fe8839  evolution-data-server-devel-1.8.0-15.0.3.el5.ppc64.rpm

s390x:
e845ec48cdc8df471d5d114a93e21344  evolution-data-server-1.8.0-15.0.3.el5.s390.rpm
c0c440eb4ed5dd2d930434a3a92a8461  evolution-data-server-1.8.0-15.0.3.el5.s390x.rpm
1c4626a99ac75f4b68598e1c2c324b6a  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.s390.rpm
e47ff2ee3fc82654354792db8cd458b1  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.s390x.rpm
8d834b7fe2e3c55da02516402f5b5970  evolution-data-server-devel-1.8.0-15.0.3.el5.s390.rpm
88b102e274ed7c5eac65147b3922b567  evolution-data-server-devel-1.8.0-15.0.3.el5.s390x.rpm

x86_64:
12a37eee5ad4c2a982eebefd8b2d5686  evolution-data-server-1.8.0-15.0.3.el5.i386.rpm
e9049a57a4a46768187c942d09ed18e1  evolution-data-server-1.8.0-15.0.3.el5.x86_64.rpm
f763fab632e616cd201ca80e9f54010c  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.i386.rpm
7f6536db1f877c1b4f7c741fa0d39205  evolution-data-server-debuginfo-1.8.0-15.0.3.el5.x86_64.rpm
85d93f27c86928de6a3e861f3c9dc68c  evolution-data-server-devel-1.8.0-15.0.3.el5.i386.rpm
89bff966c9bec550c442038a2028135c  evolution-data-server-devel-1.8.0-15.0.3.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.