[SECURITY] [DLA 4503-1] evolution-data-server security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4503-1] evolution-data-server security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Thu, 19 Mar 2026 18:59:16 +0000 (UTC)
Message-id: <[🔎] a2e62219-a4f-525-d651-fbb1913efea@alteholz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4503-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
March 19, 2026                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : evolution-data-server
Version        : 3.38.3-1+deb11u3
CVE ID         : CVE-2026-2604

An issue has been found in evolution-data-server, an evolution databasebackend server.A Flatpak application with D-Bus access to the addressbook service candelete arbitrary files on the host, potentially including Flatpak overridefiles. This fix canonicalizes the file path before performing a prefixcomparison, ensuring that ../ sequences are resolved.



For Debian 11 bullseye, this problem has been fixed in version
3.38.3-1+deb11u3.

We recommend that you upgrade your evolution-data-server packages.

For the detailed security status of evolution-data-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/evolution-data-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmm8R4RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEflVRAAtmvqY/8GUvNMPuOBEecwh+uWyqLlACEMKZXgBTJWpAbf2t/WltEjht5i
Jx/Dm8pVhJ88UOJSWDeZPPj8IzyT4eTCeggmtJ54O8x+TdX6qB3xsxchBMiE1mYA
g3glwithQhKK8LPHi9Pu0ApLj4kbrU8oSaF9A6nPbJoESYdaSX9d6Bp0cbR8LiAh
ZmGt//laYBFqZvhHHb+T5IM18qH18xaOIgUPqlErDappLWCcf0YPb8HBEsoQ7vP1
T3mi9ARM+/D0LXkowewS9QLC1jgjgbGE/t0YJY9NN+R8I+1tj7xDm2IMjgVCxclQ
leTc8R1wB7Axxe7PMaZcX7DaeZVQxd+I5w+KogEnCD2Aw/BSE8v5zBzNdpuOOOTd
T9uStFz78SOU41pffWJLHq7jSvrr0GlF5YM6w80L0D2xt1t2twVVeUEL1MJOBVCf
xy1+mC5ZKYQ+OjBzLVzO8t66C1G2YR2L/t+vuh43AVIMWGCeSB3LojLiqzdG21oz
3K6khVjv1bBRJJwfmY4hHAqqVkafFNOaj0j54VPLPcaw1kTYJ3wYr+IisGNniv5S
6lnLKPPajsr7VGZHrB4A02SfyCYglSCoFyebZZL046vxabrRvQJnIem9nZVgktt+
xhyCPGzIaiiNQoXLcoodIVKRKe4QvsTPemHS3RlM1QZYcnuRjsg=
=xkIm
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4502-1] ansible security update
Next by Date: [SECURITY] [DLA 4504-1] libvirt security update
Previous by thread: [SECURITY] [DLA 4502-1] ansible security update
Next by thread: [SECURITY] [DLA 4504-1] libvirt security update
Index(es):
- Date
- Thread