Bug 1609916 (CVE-2016-10727)
| Summary: | CVE-2016-10727 evolution-data-server: IMAPx Component Information Disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alexl, caillon+fedoraproject, john.j5live, lpardo, mbarnes, mcrha, rhughes, rstrode, sandmann |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | evolution-data-server 3.21.2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-09-05 11:35:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1609918 | ||
|
Description
Laura Pardo
2018-07-30 19:39:19 UTC
I'm sorry, but what is this bug supposed to serve for, please? It doesn't make any sense to me to file a bug for a thing which had been fixed more than two years ago, while Fedora supports only ~13 months back. What am I missing here, please? (In reply to Milan Crha from comment #1) > I'm sorry, but what is this bug supposed to serve for, please? It doesn't > make any sense to me to file a bug for a thing which had been fixed more > than two years ago, while Fedora supports only ~13 months back. What am I > missing here, please? Hi Milan, Fedora is not affected by this issue, as noted in fedora-all/evolution-data-server=notaffected. However, I still need to file this for the remaining platforms that ships this package. I see. If I read the white board properly, then it says only: rhel-7/evolution-data-server=affected and all the others are not affected. RHEL 7.4 contains evolution-data-server-3.22.7, which had the upstream fix included, thus unless you aim even lower, this had been addressed in RHEL 7 ~a year ago, thus it's not affected now too. Am I right? RHEL 7.3 had evolution-data-server-3.12.11, which would be affected, not being of bug #1265684, whose changes included that upstream fix as one of the side effects. Maybe RHEL 7.2 is affected, it also contains 3.12.11. In reply to comment 3: > I see. If I read the white board properly, then it says only: > rhel-7/evolution-data-server=affected > and all the others are not affected. RHEL 7.4 contains > evolution-data-server-3.22.7, which had the upstream fix included, thus > unless you aim even lower, this had been addressed in RHEL 7 ~a year ago, > thus it's not affected now too. Am I right? > > RHEL 7.3 had evolution-data-server-3.12.11, which would be affected, not > being of bug #1265684, whose changes included that upstream fix as one of > the side effects. > > Maybe RHEL 7.2 is affected, it also contains 3.12.11. Yes, this was fixed by https://access.redhat.com/errata/RHBA-2016:2206 Regrading the whiteboard, we need to set it to "affected" since RHEL-7.2 is still affected and also due to proper errata link being displayed on CVE page. Statement: This issue did not affect the versions of evolution-data-server as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the vulnerable code. |