Hi, We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution v3.30.5-1.1 installed along with other packages.
1. Security Vulnerability with Nginx v1.14.2: THREAT: According to nginx download page, (http://nginx.org/en/download.html) Nginx 1.14.x is no longer supported and will not be getting regular patches IMPACT: The system is at high risk of being exposed to security vulnerabilities because the vendor no longer provides updates. SOLUTION: Upgrading to latest version of NGINX would resolve this Vulnerability. 1. Security Vulnerability with GNOME Evolution v3.30.5-1.1: THREAT: Gnome Evolution is prone to information disclosure vulnerability using the proprietary (non-RFC6068) quote"mailto?attach=..."quote parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=. value. Affected Version: GNOME Evolution before 3.35.91 IMPACT: Successful exploitation of this issue will lead to information disclosure. SOLUTION: Upgrading to 3.35.91 or to the latest version of GNOME Evolution (http://www.gnome.org/projects/evolution/) would resolve this Vulnerability. When can we expect latest versions of Nginx and GNOME Evolution to be available in Debian 10 ? Thanks, Revanth.
