Security update for evolution-data-server

Announcement ID:	SUSE-SU-2021:0949-1
Rating:	moderate
References:	bsc#1173910 bsc#1174712 bsc#1182882
Cross-References:	CVE-2020-14928 CVE-2020-16117
CVSS scores:	CVE-2020-14928 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-14928 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-16117 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-16117 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP2

An update that solves two vulnerabilities and has one security fix can now be installed.

Description:

This update for evolution-data-server fixes the following issues:

• CVE-2020-16117: Fix crash on malformed server response with minimal capabilities (bsc#1174712).
• CVE-2020-14928: Response injection via STARTTLS in SMTP and POP3 (bsc#1173910).
• Fix buffer overrun when parsing base64 data (bsc#1182882).

This update for evolution-ews fixes the following issue:

• Fix buffer overrun when parsing base64 data (bsc#1182882).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Workstation Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-949=1

Package List:

• SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
  • typelib-1_0-Camel-1_2-3.34.4-3.3.1
  • libebook-contacts-1_2-3-debuginfo-3.34.4-3.3.1
  • evolution-data-server-devel-3.34.4-3.3.1
  • typelib-1_0-EDataServerUI-1_2-3.34.4-3.3.1
  • typelib-1_0-ECal-2_0-3.34.4-3.3.1
  • libebackend-1_2-10-debuginfo-3.34.4-3.3.1
  • typelib-1_0-EBookContacts-1_2-3.34.4-3.3.1
  • evolution-ews-debuginfo-3.34.4-3.3.1
  • libebackend-1_2-10-3.34.4-3.3.1
  • libedataserverui-1_2-2-debuginfo-3.34.4-3.3.1
  • libebook-1_2-20-3.34.4-3.3.1
  • libedata-cal-2_0-1-3.34.4-3.3.1
  • libecal-2_0-1-debuginfo-3.34.4-3.3.1
  • libedata-cal-2_0-1-debuginfo-3.34.4-3.3.1
  • libebook-contacts-1_2-3-3.34.4-3.3.1
  • typelib-1_0-EDataServer-1_2-3.34.4-3.3.1
  • libcamel-1_2-62-debuginfo-3.34.4-3.3.1
  • libebook-1_2-20-debuginfo-3.34.4-3.3.1
  • libedataserverui-1_2-2-3.34.4-3.3.1
  • evolution-ews-3.34.4-3.3.1
  • evolution-ews-debugsource-3.34.4-3.3.1
  • libedataserver-1_2-24-debuginfo-3.34.4-3.3.1
  • evolution-data-server-3.34.4-3.3.1
  • typelib-1_0-EBook-1_2-3.34.4-3.3.1
  • libecal-2_0-1-3.34.4-3.3.1
  • evolution-data-server-debuginfo-3.34.4-3.3.1
  • libedata-book-1_2-26-debuginfo-3.34.4-3.3.1
  • libcamel-1_2-62-3.34.4-3.3.1
  • libedataserver-1_2-24-3.34.4-3.3.1
  • evolution-data-server-debugsource-3.34.4-3.3.1
  • libedata-book-1_2-26-3.34.4-3.3.1
• SUSE Linux Enterprise Workstation Extension 15 SP2 (noarch)
  • evolution-data-server-lang-3.34.4-3.3.1
  • evolution-ews-lang-3.34.4-3.3.1

References:

• https://www.suse.com/security/cve/CVE-2020-14928.html
• https://www.suse.com/security/cve/CVE-2020-16117.html
• https://bugzilla.suse.com/show_bug.cgi?id=1173910
• https://bugzilla.suse.com/show_bug.cgi?id=1174712
• https://bugzilla.suse.com/show_bug.cgi?id=1182882