Description of problem: After updating from F14 to F15, the IMAP component tried to authenticate as plain text over a non-SSL connection when storing to the Sent folder. Even though my IMAP connection is configured as SSL (and the server also supports TLS). For some reason, in the Defaults pref tab, the Sent folder was reset to use the local one instead of the one on the IMAP server (which was correctly configured in F14). This leads to possible password disclose... so its a security problem... Version-Release number of selected component (if applicable): evolution-3.0.1-1.fc15.x86_64 How reproducible: Always... until I re-selected the IMAP folder in Defaults.. then it was gone.
Hi, Olivier, thank you for your report. (In reply to comment #0) > How reproducible: > > Always... until I re-selected the IMAP folder in Defaults.. then it was gone. So when you configured the IMAP account to use SSL/TLS alternative, the Defaults pref tab contained Sent folder for the remote server? IOW got it I right, that this was reset without user action / consciousness? Also, under 'until I re-selecated the IMAP folder in Defaults' you mean, you set it back in Defaults tab to be the Sent folder on the remote server machine, right? Or you mean just clicking on it? Thank you, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
In Evo 2.32 I had selected the remote folder, so it was still selected when upgrading to 3.0. But it tried to connect to the server over a non-SSL (sending my username/password without SSL). I only realised there was a problem because our Dovecot server only allows upgrading to TLS over a non-SSL connection. I went into the Defaults tab, clicked on the button, re-selected the remote folder from the list (I think something else was selected, not sure). And clicked Ok, after doing that, it seemed to fix itself.
Upstream bug report: [1] https://bugzilla.gnome.org/show_bug.cgi?id=648277 Upstream fix: [2] http://git.gnome.org/browse/evolution-data-server/commit/?id=e0ac4d79705c
*** Bug 697904 has been marked as a duplicate of this bug. ***
CVE Request: [3] http://www.openwall.com/lists/oss-security/2011/09/09/1
Created evolution tracking bugs for this issue Affects: fedora-15 [bug 737106]
This issue did NOT affect the versions of the evolution and evolution28 packages, as shipped with Red Hat Enterprise Linux 4. This issue did NOT affect the versions of the evolution package, as shipped with Red Hat Enterprise Linux 5 and 6.
Statement: Not vulnerable. This issue did not affect the versions of evolution as shipped with Red Hat Enterprise Linux 4, 5, or 6. This issue did not affect the version of evolution28 as shipped with Red Hat Enterprise Linux 4.
This was assigned the name CVE-2011-3355.