| Summary: | perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, ouaurelien, shlomif, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-06-09 22:11:54 CEST
Comment 0 is for perl-Email-MIME-ContentType. perl-Email-MIME is part of this too. The issue is fixed in 1.949 there: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/ Summary:
perl-Email-MIME-ContentType new DoS security issue =>
perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issue No evident maintainer, so assigning globally. CCing Shlomi as the registered person. Assignee:
bugsquad =>
pkg-bugs
David Walser
2020-12-28 18:35:42 CET
Status comment:
(none) =>
Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType) Updated versions on their way to updates_testing for mga7 Status:
NEW =>
ASSIGNED Advisory: ======================== Updated perl-Email-MIME and perl-Email-MIME-ContentType packages fix security vulnerability: Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353). This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/ ======================== Updated packages in core/updates_testing: ======================== perl-Email-MIME-1.949.0-3.1.mga7 perl-Email-MIME-ContentType-1.24.0-3.1.mga7 from SRPMS: perl-Email-MIME-1.949.0-3.1.mga7.src.rpm perl-Email-MIME-ContentType-1.24.0-3.1.mga7.src.rpm Status comment:
Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType) =>
(none) Looked back for a previous bug on these packages, found nothing. "urpmq --whatrequires" shows Bugzilla is about the only app that uses the packages. Testing Bugzilla in a way to be sure that these particular packages would be used is far beyond my capabilities, so I'm opting for a clean install. Installed perl-Email-MIME and its dependencies, which included perl-Email-MIME-ContentType. No installation issues. Used QA Repo to get the two packages to be updated, then proceeded to Mageia Update, to see this: The following 3 packages are going to be installed: - perl-Email-MIME-1.949.0-3.1.mga7.noarch - perl-Email-MIME-ContentType-1.24.0-3.1.mga7.noarch - perl-Text-Unidecode-1.300.0-3.mga7.noarch Assuming the third package is a new dependency, I installed all three. Again, no installation issues. I'm going to OK this, and validate. If this is not good enough, please feel free to hold it back. Advisory in Comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs Advisory commited to SVN. CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0078.html Status:
ASSIGNED =>
RESOLVED |