 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.63581 |
| Category: | Red Hat Local Security Checks |
| Title: | RedHat Security Advisory RHSA-2009:0355 |
| Summary: | The remote host is missing updates announced in;advisory RHSA-2009:0355.;;Evolution is the integrated collection of e-mail, calendaring, contact;management, communications, and personal information management (PIM) tools;for the GNOME desktop environment.;;Evolution Data Server provides a unified back-end for applications which;interact with contacts, task and calendar information. Evolution Data;Server was originally developed as a back-end for Evolution, but is now;used by multiple other applications.;;Evolution did not properly check the Secure/Multipurpose Internet Mail;Extensions (S/MIME) signatures used for public key encryption and signing;of e-mail messages. An attacker could use this flaw to spoof a signature by;modifying the text of the e-mail message displayed to the user. (CVE-2009-0547);;It was discovered that evolution did not properly validate NTLM (NT LAN;Manager) authentication challenge packets. A malicious server using NTLM;authentication could cause evolution to disclose portions of its memory or;crash during user authentication. (CVE-2009-0582);;Multiple integer overflow flaws which could cause heap-based buffer;overflows were found in the Base64 encoding routines used by evolution and;evolution-data-server. This could cause evolution, or an application using;evolution-data-server, to crash, or, possibly, execute an arbitrary code;when large untrusted data blocks were Base64-encoded. (CVE-2009-0587);;All users of evolution and evolution-data-server are advised to upgrade to;these updated packages, which contain backported patches to correct these;issues. All running instances of evolution and evolution-data-server must;be restarted for the update to take effect. |
| Description: | Summary: The remote host is missing updates announced in advisory RHSA-2009:0355. Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2009-0547 BugTraq ID: 33720 http://www.securityfocus.com/bid/33720 Debian Security Information: DSA-1813 (Google Search) http://www.debian.org/security/2009/dsa-1813 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00666.html https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00672.html http://www.mandriva.com/security/advisories?name=MDVSA-2009:078 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479 http://openwall.com/lists/oss-security/2009/02/10/7 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9619 http://www.redhat.com/support/errata/RHSA-2009-0354.html http://www.redhat.com/support/errata/RHSA-2009-0355.html http://secunia.com/advisories/33848 http://secunia.com/advisories/34338 http://secunia.com/advisories/34339 http://secunia.com/advisories/34363 http://secunia.com/advisories/35357 http://secunia.com/advisories/38915 SuSE Security Announcement: SUSE-SR:2010:006 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html SuSE Security Announcement: SUSE-SR:2010:011 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html SuSE Security Announcement: SUSE-SR:2010:012 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html http://www.vupen.com/english/advisories/2010/1107 Common Vulnerability Exposure (CVE) ID: CVE-2009-0582 1021845 http://securitytracker.com/id?1021845 34109 http://www.securityfocus.com/bid/34109 34286 http://secunia.com/advisories/34286 34338 34339 34348 http://secunia.com/advisories/34348 34363 35065 http://secunia.com/advisories/35065 35357 52673 http://osvdb.org/52673 ADV-2009-0716 http://www.vupen.com/english/advisories/2009/0716 DSA-1813 FEDORA-2009-2784 FEDORA-2009-2792 MDVSA-2009:078 RHSA-2009:0354 RHSA-2009:0355 RHSA-2009:0358 http://www.redhat.com/support/errata/RHSA-2009-0358.html SUSE-SR:2009:010 http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html [release-team] 20090312 Another Evolution-Data-Server freeze break http://mail.gnome.org/archives/release-team/2009-March/msg00096.html evolution-ntlmsasl-info-disclosure(49233) https://exchange.xforce.ibmcloud.com/vulnerabilities/49233 https://bugzilla.redhat.com/show_bug.cgi?id=487685 oval:org.mitre.oval:def:10081 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10081 Common Vulnerability Exposure (CVE) ID: CVE-2009-0587 20090312 [oCERT-2008-015] glib and glib-predecessor heap overflows http://www.securityfocus.com/archive/1/501712/100/0/threaded 34100 http://www.securityfocus.com/bid/34100 34351 http://secunia.com/advisories/34351 52702 http://osvdb.org/52702 52703 http://osvdb.org/52703 SUSE-SR:2010:012 USN-733-1 http://www.ubuntu.com/usn/USN-733-1 [oss-security] 20090312 [oCERT-2008-015] glib and glib-predecessor heap overflows http://openwall.com/lists/oss-security/2009/03/12/2 http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff http://www.ocert.org/advisories/ocert-2008-015.html oval:org.mitre.oval:def:11385 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11385 |
| Copyright | Copyright (C) 2009 E-Soft Inc. |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |