MDKSA-2005:141 - Updated evolution packages fixes format string vulnerabilities

[Mandriva Security Team <security@xxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           evolution
 Advisory ID:            MDKSA-2005:141
 Date:                   August 17th, 2005

 Affected versions:	 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1
 allow remote attackers to cause a denial of service (crash) and possibly 
 execute arbitrary code via (1) full vCard data, (2) contact data from 
 remote LDAP servers, or (3) task list data from remote servers.
 (CAN-2005-2549)
 
 A format string vulnerability in Evolution 1.4 through 2.3.6.1 allows 
 remote attackers to cause a denial of service (crash) and possibly
 execute arbitrary code via the calendar entries such as task lists,
 which are not properly handled when the user selects the Calendars tab.
 (CAN-2005-2550)
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2549
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2550
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.1:
 c86139b16f34105eb0fb2bfb3ecc4bdf  10.1/RPMS/evolution-2.0.3-1.4.101mdk.i586.rpm
 3f7164577e567be0f7ee93ed12d3de13  10.1/RPMS/evolution-devel-2.0.3-1.4.101mdk.i586.rpm
 7005876e3443b028a65258b25b1eeadf  10.1/RPMS/evolution-pilot-2.0.3-1.4.101mdk.i586.rpm
 29601b950c1fb806f48275da174a0721  10.1/SRPMS/evolution-2.0.3-1.4.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 7fbb271d2c863d2ae1623c434157bed2  x86_64/10.1/RPMS/evolution-2.0.3-1.4.101mdk.x86_64.rpm
 99d8f4c56967e45c2d5e6a8ed11c5f0c  x86_64/10.1/RPMS/evolution-devel-2.0.3-1.4.101mdk.x86_64.rpm
 52bfc378433fe224a0aa8ac4784a5ab1  x86_64/10.1/RPMS/evolution-pilot-2.0.3-1.4.101mdk.x86_64.rpm
 29601b950c1fb806f48275da174a0721  x86_64/10.1/SRPMS/evolution-2.0.3-1.4.101mdk.src.rpm

 Mandrakelinux 10.2:
 5a37a9c724ff1d5eae934f6f45aaf607  10.2/RPMS/evolution-2.0.4-3.1.102mdk.i586.rpm
 a6822e000c563fb6c025b3aa5cf24a76  10.2/RPMS/evolution-devel-2.0.4-3.1.102mdk.i586.rpm
 9476496c8d82bb59be375b93315fd1be  10.2/RPMS/evolution-pilot-2.0.4-3.1.102mdk.i586.rpm
 b306dba4c9525c4be261903f5bca83e0  10.2/SRPMS/evolution-2.0.4-3.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 a6072f366802d6e983312850d3048579  x86_64/10.2/RPMS/evolution-2.0.4-3.1.102mdk.x86_64.rpm
 90fb55af1fc3a40cac030a63156b2a31  x86_64/10.2/RPMS/evolution-devel-2.0.4-3.1.102mdk.x86_64.rpm
 a07bade72ae8bc6c82d46680937f0bf5  x86_64/10.2/RPMS/evolution-pilot-2.0.4-3.1.102mdk.x86_64.rpm
 b306dba4c9525c4be261903f5bca83e0  x86_64/10.2/SRPMS/evolution-2.0.4-3.1.102mdk.src.rpm

 Corporate 3.0:
 b4fe8df7fe51f54129606ed4e81a2a33  corporate/3.0/RPMS/evolution-1.4.6-5.2.C30mdk.i586.rpm
 b1596ec712f2f3bde7b0e7c4a9e1409f  corporate/3.0/RPMS/evolution-devel-1.4.6-5.2.C30mdk.i586.rpm
 60068cc6987dccb19f6586cbd5e74949  corporate/3.0/RPMS/evolution-pilot-1.4.6-5.2.C30mdk.i586.rpm
 736e517b243c4a3b9d57970b7e6a2e71  corporate/3.0/SRPMS/evolution-1.4.6-5.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 cd590782c6bba4a33fb55ed231ec940b  x86_64/corporate/3.0/RPMS/evolution-1.4.6-5.2.C30mdk.x86_64.rpm
 197aca690c2e893732ed72d6298a46b0  x86_64/corporate/3.0/RPMS/evolution-devel-1.4.6-5.2.C30mdk.x86_64.rpm
 4c734a5c04be55664fb086fa6a56a5d2  x86_64/corporate/3.0/RPMS/evolution-pilot-1.4.6-5.2.C30mdk.x86_64.rpm
 736e517b243c4a3b9d57970b7e6a2e71  x86_64/corporate/3.0/SRPMS/evolution-1.4.6-5.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDBAXZmqjQ0CJFipgRAobfAJ0cdWHj65EXJ5LacGvHgVfZyPRKOwCeNrsr
i92EJnRTyl8UmcKSntPrgqU=
=eD6K
-----END PGP SIGNATURE-----