A CVE was requested for an issue fixed in ruby-mail 2.6.0: http://openwall.com/lists/oss-security/2015/12/11/3 The commit to fix the issue is linked in the message above. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
OpenSuSE has issued an advisory for this today (January 11): http://lists.opensuse.org/opensuse-updates/2016-01/msg00013.html The patch they used in this update can be found here: https://build.opensuse.org/package/show/openSUSE:13.2:Update/rubygem-mail
URL: (none) => http://lwn.net/Vulnerabilities/671471/
ruby-mail-2.6.3-1.mga6 uploaded for Cauldron for Pascal. Patched package uploaded for Mageia 5. Advisory: ======================== Updated ruby-mail packages fix security vulnerability: The Mail library does not impose a length limit on email addresses, so an attacker can send a long spam message via a recipient address unless there is a limit on the applicationâs side. The attacker-injected message in the recipient address is processed by the server. This type of vulnerability can be real threats in inquiry forms, member signup forms, or any other application that delivers an email to a user-specified email address (bsc#959129). References: http://openwall.com/lists/oss-security/2015/12/11/3 http://lists.opensuse.org/opensuse-updates/2016-01/msg00013.html ======================== Updated packages in core/updates_testing: ======================== ruby-mail-2.5.4-9.1.mga5 ruby-mail-doc-2.5.4-9.1.mga5 from ruby-mail-2.5.4-9.1.mga5.src.rpm
Whiteboard: MGA5TOO => (none)Assignee: fundawang => qa-bugsVersion: Cauldron => 5
MGA5-32 Xfce on Acer D620 No installation issues. I don't feel tempted to dive into ruby to put together some testcase, googling a minute didn't bring me any further. If the upper powers agree, then OK for me.
CC: (none) => herman.viaene
I will try to put together a test script for this but it will not be before tomorrow. If it works I shall attach it and you can run it. There seems to be a built-in test facility. Later.
CC: (none) => tarazed25
Created attachment 7345 [details] SMTP/Google test of ruby Mail class Basic script for a user to send an email message back to self. It is a bit specific and requires a username and password on the command line.
@Herman I have uploaded a test script which simply transmits a message back to the user via gmail and SMTP. You can override the SMTP setting by uncommenting the 'test' setting in the code. If you are not using Google you might have to fiddle around with the SMTP settings, referring to the embedded URL which documents these things. I am a bit out of my depth here. In a browser the notes on SMTP can be found in the Class list index on the left. You would have to edit the SMTP section of the script to set the password for the user. Call the script whatever you like, e.g. mailtest. $ chmod +x mailtest <edit where necessary> $ ./mailtest <user email address> <password> or $ ruby mailtest <email address> <password at Google or wherever> I ran it before updating and picked up the email in Thunderbird a few seconds later. Check the source and you see that the message id has been changed. I hope it works for you.
Ignore the line in comment #6 about "You would have to edit the SMTP section....."
Since the 64-bit test succeeded for me I am going to pass it.
Whiteboard: (none) => MGA5-64-OK
mga5 i586 vbox Mate Installed the update candidate and sent an email to myself via Gmail and received it in Thunderbird on another machine. Used the test script to exercise ruby-mail.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory added to svn
CC: (none) => tmbWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0019.html
Status: NEW => RESOLVEDResolution: (none) => FIXED