CVE-2018-15587

Publication date 11 February 2019

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.

Read the notes from the security team

Status

Package Ubuntu Release Status
evolution 24.10 oracular
Fixed 3.31.90-1
24.04 LTS noble
Fixed 3.31.90-1
23.10 mantic
Fixed 3.31.90-1
23.04 lunar
Fixed 3.31.90-1
22.10 kinetic
Fixed 3.31.90-1
22.04 LTS jammy
Fixed 3.31.90-1
21.10 impish
Fixed 3.31.90-1
21.04 hirsute
Fixed 3.31.90-1
20.10 groovy
Fixed 3.31.90-1
20.04 LTS focal
Fixed 3.31.90-1
19.10 eoan
Fixed 3.31.90-1
19.04 disco
Fixed 3.31.90-1
18.10 cosmic Ignored end of life
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty Not in release
evolution-data-server 24.10 oracular
Fixed 3.31.90-1
24.04 LTS noble
Fixed 3.31.90-1
23.10 mantic
Fixed 3.31.90-1
23.04 lunar
Fixed 3.31.90-1
22.10 kinetic
Fixed 3.31.90-1
22.04 LTS jammy
Fixed 3.31.90-1
21.10 impish
Fixed 3.31.90-1
21.04 hirsute
Fixed 3.31.90-1
20.10 groovy
Fixed 3.31.90-1
20.04 LTS focal
Fixed 3.31.90-1
19.10 eoan
Fixed 3.31.90-1
19.04 disco
Fixed 3.31.90-1
18.10 cosmic
Fixed 3.30.5-0ubuntu0.18.10.1
18.04 LTS bionic
Fixed 3.28.5-0ubuntu0.18.04.2
16.04 LTS xenial
Fixed 3.18.5-1ubuntu1.2
14.04 LTS trusty Not in release

Notes


mdeslaur

looks like there are two issues here: #1- evolution shows security bar at bottom of message #2- mail that is not encrypted looks encrypted

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
evolution
evolution-data-server

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-3998-1
    • Evolution Data Server vulnerability
    • 30 May 2019

Other references