Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 25 Apr 2012 21:49:29 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>, mikel@...nteractive.net
Subject: Re: CVE request: two flaws fixed in rubygem-mail 2.4.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/25/2012 03:06 PM, Vincent Danen wrote:
> 
> Two flaws were corrected in rubygem-mail version 2.4.4:
> 
> A file system traversal in file_delivery method [1]. [1] 
> https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f

Please
> 
use CVE-2012-2139 for this issue.


> Arbitrary command execution when using exim or sendmail from the 
> commandline [2],[3]. [2] 
> https://github.com/mikel/mail/commit/36b7fa23d38cb59dd79b7efa258ef0e7ddab5a11
>
>  [3] 
> https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2

Please
> 
use CVE-2012-2140 for this issue.

> Other references:
> 
> https://bugzilla.novell.com/show_bug.cgi?id=759092 
> https://bugzilla.redhat.com/show_bug.cgi?id=816352
> 
> Could two CVEs be assigned for these flaws please?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPmMXJAAoJEBYNRVNeJnmTL5YQALbtZ9HL5chg/IUsD8S6q2ce
6x6gCd3ArghuKBfOQd2X6nATcdJ6NFmoyt35ebSpbKILXg8XHlWopDqf8Y7nmrFV
kD8E7FQ5w36aRdis8Enl/mYDPRsXg8NOTfUOQxjQq6IlS3zFWnClh6/eGV/UrKrZ
LYXX2dGP698yAtyvITvBR1T2jaCUqlndQgU24mW+3PmhkhhZU8MxVskMwU90VqVp
Vy80b8lXqnMj4eUHHqgISJQGPReb+7tNCo5yUeegg7Fv/Oe5XPIckOJB+68bVoeT
0fHBLfDH3NDF1jQZJO2zshKD0obTrBko9SmNzz5jX6m8WsIpUKzuT65Y+P3l7c1O
o60wfi7iCeC2hu870wJ13qUlwE+vUWuImTr16kOJu9fSODtg/1aPKnTham+0yqk9
UFgkFrI/SkLcJY0I7JsuFaP73poPOI4j1cwiuhFzIF2phbdgZeuemfy8kF88WiaP
qiFh4A7jtNf6wxxW7gEGyiafu2JRX8TjuhTGW7juZZP/1jwiFv8FkEAeRPpNo5jn
lGkt5oWbMfdOh6RJMwvahkCskd2J1Recp1pDywVTGpgbkgjipUuZqD597iQjRBRU
gEXrmzz9eqbtP/chDx+2ZY+5L6j4C24HIFeYyhUWiv4sSf5jGPDwfVlH/vsqnZD6
IYqIpcNHML0er2MPWdNv
=0z+y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ