Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F98C5C9.3060200@redhat.com>
Date: Wed, 25 Apr 2012 21:49:29 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>, mikel@...nteractive.net
Subject: Re: CVE request: two flaws fixed in rubygem-mail 2.4.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/25/2012 03:06 PM, Vincent Danen wrote:
> 
> Two flaws were corrected in rubygem-mail version 2.4.4:
> 
> A file system traversal in file_delivery method [1]. [1] 
> https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f

Please
> 
use CVE-2012-2139 for this issue.


> Arbitrary command execution when using exim or sendmail from the 
> commandline [2],[3]. [2] 
> https://github.com/mikel/mail/commit/36b7fa23d38cb59dd79b7efa258ef0e7ddab5a11
>
>  [3] 
> https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2

Please
> 
use CVE-2012-2140 for this issue.

> Other references:
> 
> https://bugzilla.novell.com/show_bug.cgi?id=759092 
> https://bugzilla.redhat.com/show_bug.cgi?id=816352
> 
> Could two CVEs be assigned for these flaws please?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPmMXJAAoJEBYNRVNeJnmTL5YQALbtZ9HL5chg/IUsD8S6q2ce
6x6gCd3ArghuKBfOQd2X6nATcdJ6NFmoyt35ebSpbKILXg8XHlWopDqf8Y7nmrFV
kD8E7FQ5w36aRdis8Enl/mYDPRsXg8NOTfUOQxjQq6IlS3zFWnClh6/eGV/UrKrZ
LYXX2dGP698yAtyvITvBR1T2jaCUqlndQgU24mW+3PmhkhhZU8MxVskMwU90VqVp
Vy80b8lXqnMj4eUHHqgISJQGPReb+7tNCo5yUeegg7Fv/Oe5XPIckOJB+68bVoeT
0fHBLfDH3NDF1jQZJO2zshKD0obTrBko9SmNzz5jX6m8WsIpUKzuT65Y+P3l7c1O
o60wfi7iCeC2hu870wJ13qUlwE+vUWuImTr16kOJu9fSODtg/1aPKnTham+0yqk9
UFgkFrI/SkLcJY0I7JsuFaP73poPOI4j1cwiuhFzIF2phbdgZeuemfy8kF88WiaP
qiFh4A7jtNf6wxxW7gEGyiafu2JRX8TjuhTGW7juZZP/1jwiFv8FkEAeRPpNo5jn
lGkt5oWbMfdOh6RJMwvahkCskd2J1Recp1pDywVTGpgbkgjipUuZqD597iQjRBRU
gEXrmzz9eqbtP/chDx+2ZY+5L6j4C24HIFeYyhUWiv4sSf5jGPDwfVlH/vsqnZD6
IYqIpcNHML0er2MPWdNv
=0z+y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.