Date: Wed, 18 Jun 2014 07:19:15 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, rjbs@...n.org, bastian.blank@...dativ.de, team@...urity.debian.org, gregoa@...ian.org Subject: CVE-2014-0477: Email::Address: Denial-of-Service in Email::Address::parse Hi Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse uses significant time on parsing empty quoted string, as allowed by RFC 2822. CVE-2014-0477 was assigned to reference this issue. Bastian Blank suggested a fix which was applied upstream as  contained in a new upstream version 1.905 which contain additional commits to avoid slowdowns.  https://metacpan.org/release/Email-Address  https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5  https://github.com/rjbs/Email-Address/blob/master/Changes Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.