Fedora has issued an advisory on June 3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/ The issue is fixed upstream in 1.24.
Comment 0 is for perl-Email-MIME-ContentType. perl-Email-MIME is part of this too. The issue is fixed in 1.949 there: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/
Summary: perl-Email-MIME-ContentType new DoS security issue => perl-Email-MIME, perl-Email-MIME-ContentType new DoS security issueSource RPM: perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm => perl-Email-MIME-ContentType-1.22.0-3.mga7.src.rpm, perl-Email-MIME-1.946.0-3.mga7.src.rpm
No evident maintainer, so assigning globally. CCing Shlomi as the registered person.
CC: (none) => shlomifAssignee: bugsquad => pkg-bugs
Status comment: (none) => Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType)
Updated versions on their way to updates_testing for mga7
CC: (none) => brunoAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Advisory: ======================== Updated perl-Email-MIME and perl-Email-MIME-ContentType packages fix security vulnerability: Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353). This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VJFUIVJOQGZOYF4Q4RXPBJTBBZD5LXVK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3PWODHVD5ZKQBY2OYBTFPBETUOOJA33D/ ======================== Updated packages in core/updates_testing: ======================== perl-Email-MIME-1.949.0-3.1.mga7 perl-Email-MIME-ContentType-1.24.0-3.1.mga7 from SRPMS: perl-Email-MIME-1.949.0-3.1.mga7.src.rpm perl-Email-MIME-ContentType-1.24.0-3.1.mga7.src.rpm
Status comment: Fixed upstream in 1.949 (Email::MIME) and 1.24 (Email::MIME::ContentType) => (none)