diff -Nru evolution-data-server-3.18.5/debian/changelog evolution-data-server-3.18.5/debian/changelog --- evolution-data-server-3.18.5/debian/changelog 2016-02-23 12:06:20.000000000 +0000 +++ evolution-data-server-3.18.5/debian/changelog 2018-07-25 17:48:23.000000000 +0000 @@ -1,3 +1,14 @@ +evolution-data-server (3.18.5-1ubuntu1.1) xenial-security; urgency=medium + + * SECURITY UPDATE: Unexpected STARTTLS downgrade + - debian/patches/CVE-2016-10727.patch: When a user has setup the STARTTLS + encryption method, but the server doesn't support it, then an error should + be shown to the user, instead of using unsecure connection. In + camel/providers/imapx/camel-imax-server.c + - CVE-2016-10727 + + -- Mike Salvatore Wed, 25 Jul 2018 09:13:51 -0400 + evolution-data-server (3.18.5-1ubuntu1) xenial; urgency=medium * Merge with Debian, remaining Ubuntu changes: diff -Nru evolution-data-server-3.18.5/debian/patches/CVE-2016-10727.patch evolution-data-server-3.18.5/debian/patches/CVE-2016-10727.patch --- evolution-data-server-3.18.5/debian/patches/CVE-2016-10727.patch 1970-01-01 00:00:00.000000000 +0000 +++ evolution-data-server-3.18.5/debian/patches/CVE-2016-10727.patch 2018-07-25 13:10:01.000000000 +0000 @@ -0,0 +1,52 @@ +From f26a6f672096790d0bbd76903db4c9a2e44f116b Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 10 May 2016 21:44:11 +0200 +Subject: [PATCH] [IMAPx] 'STARTTLS not supported' error ignored + +When a user has setup the STARTTLS encryption method, but the server doesn't +support it, then an error should be shown to the user, instead of using +unsecure connection. There had been two bugs in the existing code which +prevented this error from being used and the failure properly reported. + +This had been filled at: +https://bugzilla.redhat.com/show_bug.cgi?id=1334842 +--- + camel/providers/imapx/camel-imapx-server.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/camel/providers/imapx/camel-imapx-server.c b/camel/providers/imapx/camel-imapx-server.c +index 60ebf08e6..0aa108a8c 100644 +--- a/camel/providers/imapx/camel-imapx-server.c ++++ b/camel/providers/imapx/camel-imapx-server.c +@@ -2680,7 +2680,6 @@ imapx_connect_to_server (CamelIMAPXServer *is, + gboolean use_shell_command; + gboolean success = TRUE; + gchar *host; +- GError *local_error = NULL; + + store = camel_imapx_server_ref_store (is); + +@@ -2716,6 +2715,7 @@ imapx_connect_to_server (CamelIMAPXServer *is, + if (connection != NULL) { + GInputStream *input_stream; + GOutputStream *output_stream; ++ GError *local_error = NULL; + + /* Disable the Nagle algorithm with TCP_NODELAY, since IMAP + * commands should be issued immediately even we've not yet +@@ -2812,10 +2812,11 @@ connected: + if (CAMEL_IMAPX_LACK_CAPABILITY (is->priv->cinfo, STARTTLS)) { + g_mutex_unlock (&is->priv->stream_lock); + g_set_error ( +- &local_error, CAMEL_ERROR, ++ error, CAMEL_ERROR, + CAMEL_ERROR_GENERIC, + _("Failed to connect to IMAP server %s in secure mode: %s"), + host, _("STARTTLS not supported")); ++ success = FALSE; + goto exit; + } else { + g_mutex_unlock (&is->priv->stream_lock); +-- +2.17.1 + diff -Nru evolution-data-server-3.18.5/debian/patches/series evolution-data-server-3.18.5/debian/patches/series --- evolution-data-server-3.18.5/debian/patches/series 2016-02-23 12:06:20.000000000 +0000 +++ evolution-data-server-3.18.5/debian/patches/series 2018-07-25 13:10:01.000000000 +0000 @@ -1 +1,2 @@ 01-noinst-libedbus-private.patch +CVE-2016-10727.patch