Date: Wed, 18 Jun 2014 07:19:15 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, rjbs@...n.org, bastian.blank@...dativ.de, team@...urity.debian.org, gregoa@...ian.org Subject: CVE-2014-0477: Email::Address: Denial-of-Service in Email::Address::parse Hi Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse uses significant time on parsing empty quoted string, as allowed by RFC 2822. CVE-2014-0477 was assigned to reference this issue. Bastian Blank suggested a fix which was applied upstream as  contained in a new upstream version 1.905 which contain additional commits to avoid slowdowns.  https://metacpan.org/release/Email-Address  https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5  https://github.com/rjbs/Email-Address/blob/master/Changes Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ