Mandriva Linux Security Advisory : evolution-data-server (MDVSA-2009:078)

high Nessus Plugin ID 37259

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

A wrong handling of signed Secure/Multipurpose Internet Mail Extensions (S/MIME) e-mail messages enables attackers to spoof its signatures by modifying the latter copy (CVE-2009-0547).

Crafted authentication challange packets (NT Lan Manager type 2) sent by a malicious remote mail server enables remote attackers either to cause denial of service and to read information from the process memory of the client (CVE-2009-0582).

Multiple integer overflows in Base64 encoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0587).

This update provides fixes for those vulnerabilities.

Update :

evolution-data-server packages from Mandriva Linux distributions 2008.1 and 2009.0 are not affected by CVE-2009-0587.

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 37259

File Name: mandriva_MDVSA-2009-078.nasl

Version: 1.18

Type: local

Published: 4/23/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:libebackend0, p-cpe:/a:mandriva:linux:libedata-book2, p-cpe:/a:mandriva:linux:lib64edataserver11, p-cpe:/a:mandriva:linux:lib64edataserver9, p-cpe:/a:mandriva:linux:libgdata1, p-cpe:/a:mandriva:linux:libedataserver11, p-cpe:/a:mandriva:linux:libexchange-storage3, p-cpe:/a:mandriva:linux:libedataserverui8, p-cpe:/a:mandriva:linux:lib64ebook9, p-cpe:/a:mandriva:linux:lib64camel10, p-cpe:/a:mandriva:linux:lib64camel-provider10, p-cpe:/a:mandriva:linux:evolution-data-server, p-cpe:/a:mandriva:linux:lib64camel14, p-cpe:/a:mandriva:linux:lib64camel11, p-cpe:/a:mandriva:linux:libcamel10, p-cpe:/a:mandriva:linux:lib64camel-provider11, p-cpe:/a:mandriva:linux:libedataserver-devel, p-cpe:/a:mandriva:linux:lib64gdata1, p-cpe:/a:mandriva:linux:libegroupwise13, cpe:/o:mandriva:linux:2008.0, p-cpe:/a:mandriva:linux:lib64edataserver-devel, p-cpe:/a:mandriva:linux:lib64ebackend0, p-cpe:/a:mandriva:linux:libedataserver9, p-cpe:/a:mandriva:linux:lib64edataserverui8, p-cpe:/a:mandriva:linux:libecal7, p-cpe:/a:mandriva:linux:lib64ecal7, p-cpe:/a:mandriva:linux:lib64egroupwise13, p-cpe:/a:mandriva:linux:lib64exchange-storage3, p-cpe:/a:mandriva:linux:lib64edata-cal6, p-cpe:/a:mandriva:linux:libedata-cal6, p-cpe:/a:mandriva:linux:libebook9, p-cpe:/a:mandriva:linux:libcamel11, p-cpe:/a:mandriva:linux:libcamel14, p-cpe:/a:mandriva:linux:libcamel-provider11, p-cpe:/a:mandriva:linux:libcamel-provider10, cpe:/o:mandriva:linux:2008.1, p-cpe:/a:mandriva:linux:lib64edata-book2, cpe:/o:mandriva:linux:2009.0

Required KB Items: Host/Mandrake/rpm-list, Host/local_checks_enabled, Host/cpu, Host/Mandrake/release

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2009

Reference Information

CVE: CVE-2009-0547, CVE-2009-0582, CVE-2009-0587

BID: 33720, 34100, 34109

CWE: 189, 20, 310

MDVSA: 2009:078