Bug 22473 - apache-commons-email new security issue CVE-2018-1294
Summary: apache-commons-email new security issue CVE-2018-1294
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-01-27 12:01 CET by David Walser
Modified: 2018-02-25 00:26 CET (History)
4 users (show)

See Also:
Source RPM: apache-commons-email-1.3.1-11.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-01-27 12:01:43 CET
Upstream has issued an advisory on January 26:
http://openwall.com/lists/oss-security/2018/01/26/5

The issue is fixed in 1.5.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-27 12:02:07 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-02 18:32:25 CET

Status comment: (none) => Fixed upstream in 1.5

Comment 1 David Walser 2018-02-10 21:29:22 CET
openSUSE has issued an advisory for this on February 6:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00015.html
Comment 2 David Walser 2018-02-16 21:29:14 CET
Fedora has issued an advisory for this on February 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6BK3RDWBGNZHZ6LDJ34DAWVCBE2UGUE3/
Comment 3 David GEIGER 2018-02-18 03:51:39 CET
Done for Cauldron and also for mga6!

CC: (none) => geiger.david68210

Comment 4 David Walser 2018-02-18 04:25:24 CET
Thanks David!

Advisory:
========================

Updated apache-commons-email packages fix security vulnerability:

Apache Commons-Email, from version 1.0 to 1.4 inclusive, does not properly
validate bounce addresses. If a user of Commons-Email (typically an application
programmer) passes unvalidated input as the so-called "Bounce Address", and that
input contains line-breaks, then the email details (recipients, contents, etc.)
might be manipulated (CVE-2018-1294).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1294
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6BK3RDWBGNZHZ6LDJ34DAWVCBE2UGUE3/
========================

Updated packages in core/updates_testing:
========================
apache-commons-email-1.5-1.mga6
apache-commons-email-javadoc-1.5-1.mga6

from apache-commons-email-1.5-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Status comment: Fixed upstream in 1.5 => (none)
Assignee: java => qa-bugs
Severity: normal => major
Version: Cauldron => 6

Comment 5 Herman Viaene 2018-02-22 11:09:32 CET
MGA6-32 on Dell Latitude D600 Mate
No installation issues.
Ref to bug 21435 OK'ing on clean install.
Checked at least thunderbird is not disturbed. OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 6 Dave Hodgins 2018-02-24 20:19:04 CET
Advisory committed to svn. Validating based on above test.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2018-02-25 00:26:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0136.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.