CVE-2009-0582

Name of the Vulnerable Software and Affected Versions libedataserverui1.2-8 libedataserver1.2-7 libedataserverui1.2-6 libedataserver1.2-9 libedataserver1.2-dev libgdata1.2-1 libgdata1.2-dev Evolution Data Server versions 2.24.5 and earlier, 2.25.92 and earlier 2.25.x versions

Description The issue concerns multiple vulnerabilities in the Evolution Data Server and related packages in Debian GNU/Linux. These vulnerabilities can lead to breaches in confidentiality, integrity, and availability of protected information. Exploitation can be carried out remotely. Specifically, the ntlm challenge function in the NTLM SASL authentication mechanism does not validate the consistency of a certain length value with the amount of data in a challenge packet. This allows remote mail servers to read information from the process memory of a client or cause a denial of service via an NTLM authentication type 2 packet with an excessive length value.

Recommendations For Evolution Data Server versions 2.24.5 and earlier, 2.25.92 and earlier 2.25.x versions, update to a version that addresses these vulnerabilities. For libedataserverui1.2-8, libedataserver1.2-7, libedataserverui1.2-6, libedataserver1.2-9, libedataserver1.2-dev, libgdata1.2-1, libgdata1.2-dev, consider updating to the latest available versions or patches provided by Debian GNU/Linux to mitigate the risk. As a temporary workaround, consider restricting access to NTLM authentication mechanisms until a patch is available. Avoid using NTLM authentication type 2 packets with excessive length values in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability in some of the affected packages.