Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Jun 2014 07:19:15 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, rjbs@...n.org, bastian.blank@...dativ.de,
	team@...urity.debian.org, gregoa@...ian.org
Subject: CVE-2014-0477: Email::Address: Denial-of-Service in
 Email::Address::parse

Hi

Bastian Blank reported a denial of service vulnerability in
Email::Address, a Perl module for RFC 2822 address parsing and
creation[1]. Email::Address::parse uses significant time on parsing
empty quoted string, as allowed by RFC 2822.

CVE-2014-0477 was assigned to reference this issue.

Bastian Blank suggested a fix which was applied upstream as [2]
contained in a new upstream version 1.905[3] which contain additional
commits to avoid slowdowns.

 [1] https://metacpan.org/release/Email-Address
 [2] https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5
 [3] https://github.com/rjbs/Email-Address/blob/master/Changes

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ