|
|
Log in / Subscribe / Register

Debian alert DLA-4503-1 (evolution-data-server)



From:
              Thorsten Alteholz <debian@alteholz.de>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4503-1] evolution-data-server security update


Date:
              Thu, 19 Mar 2026 18:59:16 +0000


Message-ID:
              <a2e62219-a4f-525-d651-fbb1913efea@alteholz.de>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4503-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
March 19, 2026                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : evolution-data-server
Version        : 3.38.3-1+deb11u3
CVE ID         : CVE-2026-2604


An issue has been found in evolution-data-server, an evolution database 
backend server.
A Flatpak application with D-Bus access to the addressbook service can 
delete arbitrary files on the host, potentially including Flatpak override 
files. This fix canonicalizes the file path before performing a prefix 
comparison, ensuring that ../ sequences are resolved.


For Debian 11 bullseye, this problem has been fixed in version
3.38.3-1+deb11u3.

We recommend that you upgrade your evolution-data-server packages.

For the detailed security status of evolution-data-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/evolution-dat...

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmm8R4RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEflVRAAtmvqY/8GUvNMPuOBEecwh+uWyqLlACEMKZXgBTJWpAbf2t/WltEjht5i
Jx/Dm8pVhJ88UOJSWDeZPPj8IzyT4eTCeggmtJ54O8x+TdX6qB3xsxchBMiE1mYA
g3glwithQhKK8LPHi9Pu0ApLj4kbrU8oSaF9A6nPbJoESYdaSX9d6Bp0cbR8LiAh
ZmGt//laYBFqZvhHHb+T5IM18qH18xaOIgUPqlErDappLWCcf0YPb8HBEsoQ7vP1
T3mi9ARM+/D0LXkowewS9QLC1jgjgbGE/t0YJY9NN+R8I+1tj7xDm2IMjgVCxclQ
leTc8R1wB7Axxe7PMaZcX7DaeZVQxd+I5w+KogEnCD2Aw/BSE8v5zBzNdpuOOOTd
T9uStFz78SOU41pffWJLHq7jSvrr0GlF5YM6w80L0D2xt1t2twVVeUEL1MJOBVCf
xy1+mC5ZKYQ+OjBzLVzO8t66C1G2YR2L/t+vuh43AVIMWGCeSB3LojLiqzdG21oz
3K6khVjv1bBRJJwfmY4hHAqqVkafFNOaj0j54VPLPcaw1kTYJ3wYr+IisGNniv5S
6lnLKPPajsr7VGZHrB4A02SfyCYglSCoFyebZZL046vxabrRvQJnIem9nZVgktt+
xhyCPGzIaiiNQoXLcoodIVKRKe4QvsTPemHS3RlM1QZYcnuRjsg=
=xkIm
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds