Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 01 Aug 2017 20:31:29 +0200
From: Stefan Bodewig <bodewig@...che.org>
To: dev@...mons.apache.org, user@...mons.apache.org, announce@...che.org, A.Williams.9@...wick.ac.uk, security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Email 1.0 to 1.4.

Description:
When a call-site passes a subject for an email that contains
line-breaks, the caller can add arbitrary SMTP headers.

Mitigation:
Users should upgrade to Commons Email 1.5.
You can mitigate this vulnerability for older versions of Commons
Email by stripping line-breaks from the subject before passing it to
the setSubject(String) method.

Credit:
This issue was discovered by ´╗┐Adam Williams.

References:
http://commons.apache.org/proper/commons-email/security-reports.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlmAyP8ACgkQohFa4V9ri3K7XQCgj69yH9nkBGRVJBG9+0DS1jc8
GJUAnRZrLznaNRzokj08JGBMy5wwHNTt
=oSDx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ