安全公告详情

NS-SA-2020-0114

2020-12-08 09:15:39

简介

important: xerces-c/evolution-data-server security update

严重级别

important

主题

An update for xerces-c/evolution-data-server is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

xerces-c: Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards: XML 1.0 (Third Edition), XML 1.1 (First Edition), DOM Level 1, 2, 3 Core, DOM Level 2.0 Traversal and Range, DOM Level 3.0 Load and Save, SAX 1.0 and SAX 2.0, Namespaces in XML, Namespaces in XML 1.1, XML Schema, XML Inclusions).
evolution-data-server: The evolution-data-server package provides a unified backend for programs that work with contacts, tasks, and calendar information. It was originally developed for Evolution (hence the name), but is now used by other packages.


Security Fix(es):
xerces-c: A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.(CVE-2018-1311)
xerces-c: bugfix
evolution-data-server: It was discovered evolution-ews does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.(CVE-2019-3890)
evolution-data-server: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F9B3.

影响组件

  • xerces-c
  • evolution-data-server

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["xerces-c-3.1.1-10.el7_7.x86_64.rpm","xerces-c-debuginfo-3.1.1-10.el7_7.x86_64.rpm","xerces-c-devel-3.1.1-10.el7_7.x86_64.rpm","xerces-c-doc-3.1.1-10.el7_7.noarch.rpm"],"source":"xerces-c-3.1.1-10.el7_7.src.rpm"},{"binary":["evolution-data-server-3.28.5-4.el7.x86_64.rpm","evolution-data-server-debuginfo-3.28.5-4.el7.x86_64.rpm","evolution-data-server-doc-3.28.5-4.el7.noarch.rpm","evolution-data-server-devel-3.28.5-4.el7.x86_64.rpm","evolution-data-server-langpacks-3.28.5-4.el7.noarch.rpm","evolution-data-server-perl-3.28.5-4.el7.x86_64.rpm","evolution-data-server-tests-3.28.5-4.el7.x86_64.rpm"],"source":"evolution-data-server-3.28.5-4.el7.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["xerces-c-3.1.1-10.el7_7.x86_64.rpm","xerces-c-debuginfo-3.1.1-10.el7_7.x86_64.rpm","xerces-c-devel-3.1.1-10.el7_7.x86_64.rpm","xerces-c-doc-3.1.1-10.el7_7.noarch.rpm"],"source":"xerces-c-3.1.1-10.el7_7.src.rpm"},{"binary":["evolution-data-server-3.28.5-4.el7.x86_64.rpm","evolution-data-server-devel-3.28.5-4.el7.x86_64.rpm","evolution-data-server-doc-3.28.5-4.el7.noarch.rpm","evolution-data-server-perl-3.28.5-4.el7.x86_64.rpm","evolution-data-server-tests-3.28.5-4.el7.x86_64.rpm","evolution-data-server-langpacks-3.28.5-4.el7.noarch.rpm","evolution-data-server-debuginfo-3.28.5-4.el7.x86_64.rpm"],"source":"evolution-data-server-3.28.5-4.el7.src.rpm"}]}]}

CVE

参考