Executive Summary
Summary | |
---|---|
Title | Evolution vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-166-1 | First vendor Publication | 2005-08-11 |
Vendor | Ubuntu | Last vendor Modification | 2005-08-11 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: evolution The problem can be corrected by upgrading the affected package to version 2.0.2-0ubuntu2.3 (for Ubuntu 4.10), or 2.2.1.1-0ubuntu4.2 (for Ubuntu 5.04). After performing a standard system upgrade you need to restart Evolution to effect the necessary changes. Details follow: Ulf Harnhammar disovered several format string vulnerabilities in Evolution. By tricking an user into viewing a specially crafted vCard attached to an email, specially crafted contact data from an LDAP server, specially crafted task lists from remote servers, or saving Calendar entries with this malicious task list data, it was possible for an attacker to execute arbitrary code with the privileges of the user running Evolution. In addition, this update fixes a Denial of Service vulnerability in the mail attachment parser. This could be exploited to crash Evolution by tricking an user into opening a malicious email with a specially crafted attachment file name. This does only affect the Ubuntu 4.10 version, the Evolution package shipped with Ubuntu 5.04 is not affected. (CAN-2005-0806) |
Original Source
Url : http://www.ubuntu.com/usn/USN-166-1 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10532 | |||
Oval ID: | oval:org.mitre.oval:def:10532 | ||
Title: | Evolution 2.0.3 allows remote attackers to cause a denial of service (application crash or hang) via crafted messages, possibly involving charsets in attachment filenames. | ||
Description: | Evolution 2.0.3 allows remote attackers to cause a denial of service (application crash or hang) via crafted messages, possibly involving charsets in attachment filenames. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-0806 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10880 | |||
Oval ID: | oval:org.mitre.oval:def:10880 | ||
Title: | Format string vulnerability in Evolution 1.4 through 2.3.6.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the calendar entries such as task lists, which are not properly handled when the user selects the Calendars tab. | ||
Description: | Format string vulnerability in Evolution 1.4 through 2.3.6.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the calendar entries such as task lists, which are not properly handled when the user selects the Calendars tab. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-2550 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9553 | |||
Oval ID: | oval:org.mitre.oval:def:9553 | ||
Title: | Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers. | ||
Description: | Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-2549 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200508-12 (evolution) File : nvt/glsa_200508_12.nasl |
2008-09-04 | Name : FreeBSD Ports: evolution File : nvt/freebsd_evolution0.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1016-1 (evolution) File : nvt/deb_1016_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
18690 | GNOME Evolution Calendar Tab Task List Data Format String |
18689 | GNOME Evolution Task List Data Remote Format String Evolution contains a flaw that may allow a malicious user to execute arbitrary code. The issue is due to an unspecified format string flaw related to the display of task list data from remote servers. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity. |
18688 | GNOME Evolution LDAP Server Contact Data Remote Format String Evolution contains a flaw that may allow a malicious user to execute arbitrary code. The issue is related to an unspecified format string flaw in the display of LDAP contact data. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity. |
18687 | GNOME Evolution vCard Attachment Format String |
14577 | Ximian Evolution Email Attachment Saturation DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2007-01-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-397.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1016.nasl - Type : ACT_GATHER_INFO |
2006-07-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-267.nasl - Type : ACT_GATHER_INFO |
2006-05-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_e5afdf63174611da978e0001020eed82.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-166-1.nasl - Type : ACT_GATHER_INFO |
2005-10-05 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-141.nasl - Type : ACT_GATHER_INFO |
2005-10-05 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2005_054.nasl - Type : ACT_GATHER_INFO |
2005-09-12 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-338.nasl - Type : ACT_GATHER_INFO |
2005-08-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-267.nasl - Type : ACT_GATHER_INFO |
2005-08-23 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200508-12.nasl - Type : ACT_GATHER_INFO |
2005-08-18 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-743.nasl - Type : ACT_GATHER_INFO |
2005-05-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-397.nasl - Type : ACT_GATHER_INFO |
2005-03-17 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-059.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:01:11 |
|