Bug 33248

Suggested advisory:
========================

The updated package fixes a security vulnerability:

An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts. (CVE-2024-4140)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFD5BWGYAVLW6IO4SUNLTJCFFLHZYQGT/
========================

Updated package in core/updates_testing:
========================
perl-Email-MIME-1.954.0-1.mga9

from SRPM:
perl-Email-MIME-1.954.0-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 1.954 => (none)
Status: NEW => ASSIGNED

LC_ALL=C urpmi  perl-Email-MIME
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  perl-Email-Address             1.913.0      1.mga9        noarch  
  perl-Email-MIME                1.953.0      1.mga9        noarch  
  perl-Email-MIME-ContentType    1.28.0       1.mga9        noarch  
  perl-Email-MIME-Encodings      1.317.0      1.mga9        noarch  
  perl-Email-MessageID           1.408.0      1.mga9        noarch  
  perl-Text-Unidecode            1.300.0      5.mga9        noarch  
939KB of additional disk space will be used.
297KB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-Address-1.913.0-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Text-Unidecode-1.300.0-5.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MIME-1.953.0-1.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MIME-ContentType-1.28.0-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MessageID-1.408.0-1.mga9.noarch.rpm 
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Email-MIME-Encodings-1.317.0-1.mga9.noarch.rpm
installing perl-Email-Address-1.913.0-1.mga9.noarch.rpm perl-Text-Unidecode-1.300.0-5.mga9.noarch.rpm perl-Email-MIME-1.953.0-1.mga9.noarch.rpm perl-Email-MessageID-1.408.0-1.mga9.noarch.rpm perl-Email-MIME-ContentType-1.28.0-1.mga9.noarch.rpm perl-Email-MIME-Encodings-1.317.0-1.mga9.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     ##################################################################################################
      1/6: perl-Email-MIME-Encodings
                                 ##################################################################################################
      2/6: perl-Text-Unidecode   ##################################################################################################
      3/6: perl-Email-MIME-ContentType
                                 ##################################################################################################
      4/6: perl-Email-Address    ##################################################################################################
      5/6: perl-Email-MessageID  ##################################################################################################
      6/6: perl-Email-MIME       ##################################################################################################

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing perl-Email-MIME-1.954.0-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: perl-Email-MIME       ##################################################################################################
      1/1: removing perl-Email-MIME-1.953.0-1.mga9.noarch
                                 ##################################################################################################


Give OK in base clean update https://bugs.mageia.org/show_bug.cgi?id=26757

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0198.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED