Advisories » MGASA-2016-0019

Updated ruby-mail packages fix security vulnerability

Publication date: 15 Jan 2016
Modification date: 07 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-pending

Description

The Mail library does not impose a length limit on email addresses, so an
attacker can send a long spam message via a recipient address unless there
is a limit on the application's side. The attacker-injected message in the
recipient address is processed by the server. This type of vulnerability
can be real threats in inquiry forms, member signup forms, or any other
application that delivers an email to a user-specified email address
(bsc#959129)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17325
• http://openwall.com/lists/oss-security/2015/12/11/3
• http://lists.opensuse.org/opensuse-updates/2016-01/msg00013.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-pending

SRPMS

5/core

• ruby-mail-2.5.4-9.1.mga5