Synopsis:	Moderate: evolution-data-server security update
Issue date:	2009-03-16
CVE Names:	CVE-2009-0547 CVE-2009-0582 CVE-2009-0587

Evolution Data Server did not properly check the Secure/Multipurpose
Internet Mail Extensions (S/MIME) signatures used for public key 
encryption and signing of e-mail messages. An attacker could use this 
flaw to spoof a signature by modifying the text of the e-mail message 
displayed to the user. (CVE-2009-0547)

It was discovered that Evolution Data Server did not properly validate 
NTLM (NT LAN Manager) authentication challenge packets. A malicious 
server using NTLM authentication could cause an application using 
Evolution Data Server to disclose portions of its memory or crash during 
user authentication. (CVE-2009-0582)

Multiple integer overflow flaws which could cause heap-based buffer
overflows were found in the Base64 encoding routines used by Evolution 
Data Server. This could cause an application using Evolution Data Server 
to crash, or, possibly, execute an arbitrary code when large untrusted 
data blocks were Base64-encoded. (CVE-2009-0587)

All running instances of Evolution Data Server and applications using it 
(such as Evolution) must be restarted for the update to take effect.

SL 5.x

     SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
     i386:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm
     x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm

-Connie Sieh
-Troy Dawson