Evolution Exchange Web Services can silently ignore *all* certificate errors if configured to ignore an initial error in gnome-online-accounts creation. This renders transport security worse than zero as it does not even indicate (logs or UI) that a questionable certificate was presented, leaving the connection open to being viewed and modified. Upstream issue: https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
Created evolution-ews tracking bugs for this issue: Affects: fedora-all [bug 1678314]
Thanks for a bug report. The upstream bug had been marked as a duplicate of an older bug there. I'd prefer not to duplicate the work here, also because the upstream changes are not tested yet and because the change requires changes on the evolution-data-server side as well. I'd commit it to the stable version already otherwise.
Upstream patch: https://gitlab.gnome.org/GNOME/evolution-ews/commit/915226eca9454b8b3e5adb6f2fff9698451778de https://gitlab.gnome.org/GNOME/evolution-data-server/commit/6672b8236139bd6ef41ecb915f4c72e2a052dba5
Upstream issue: https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
According to https://gitlab.gnome.org/GNOME/evolution-ews/issues/27, evolution-ews does not validate SSL certificate at all.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3699 https://access.redhat.com/errata/RHSA-2019:3699
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3890
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1080 https://access.redhat.com/errata/RHSA-2020:1080