CVE-2009-0547
Published: 12 February 2009
Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077.
Notes
| Author | Note |
|---|---|
| mdeslaur | Patch for CVE-2009-0547 introduces a regression. See links for fix. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
evolution-data-server Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Not vulnerable
(2.26.1-0ubuntu2)
|
|
| karmic |
Not vulnerable
|
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| upstream |
Released
(2.26.0)
|
|
|
Patches: upstream: http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10106 upstream: http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=10194 |
||
References
Bugs
- http://bugzilla.gnome.org/show_bug.cgi?id=564465
- http://bugs.gentoo.org/show_bug.cgi?id=258867
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0547
- https://bugzilla.redhat.com/show_bug.cgi?id=492852
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533386