[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 489-1] ruby-mail security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : ruby-mail
Version        : 2.4.4-2+deb7u1
CVE ID         : N/A
Debian Bug     : N/A

This security update fixes a security issue in
ruby-mail. We recommend you upgrade your ruby-mail package.

 Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) released a
 whitepaper entitled "SMTP Injection via recipient email addresses" (
 http://www.mbsd.jp/Whitepaper/smtpi.pdf). This whitepaper has a section
 discussing how one such vulnerability affected the 'mail' ruby gem (see
 section 3.1).

 Whitepaper has all the specific details, but basically the 'mail' ruby gem
 module is prone to the recipient attack as it does not validate nor
 sanitize given recipient addresses. Thus, the attacks described in chapter
 2 of the whitepaper can be applied to the gem without any modification. The
 'mail' ruby gem itself does not impose a length limit on email addresses,
 so an attacker can send a long spam message via a recipient address unless
 there is a limit on the application's side. This vulnerability affects only
 the applications that lack input validation.

For Debian 7 "Wheezy", these problems have been fixed in version
2.4.4-2+deb7u1.

Further information about Debian LTS security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Folkebogatan 26          \
|  ola@inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26  0A6A 5E90 DCFA 9426 876F /
 ---------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJXRgu0AAoJEF6Q3PqUJodvbh8P/jCZq/C7nDfGDRNnCAIUz7Cj
eQqj9OHWhHoMMJaAvUmnrU8oBBPyZBOhS7pLVNVZJOKXZejZX6Z2PG+7Z3NDSZqu
YPUZ/FJL/LudPfV9/rbZ+GJUaTBvqOo7cMMW8FWvCv5/0TNGLK+RFPQ1LFNGz0mT
Okmg+SAtIFG0vc3h1TBRzKvCVroGtQb6QCevWxc3jxLMlUuXcN0Wki8nxL5j6Pqe
KsQlQGr/8tUXhCvoinugm0gTht92/YrPHcla793e3zHcRR+Tqqx7siFhpWXo/z9Z
vdgGpSn0MTSHL+RA0xlC+RdG3rPDwnt8wzBck1wH3t2MD6fC6DhdSvV6nPBGg3gu
cybz+rQHFdxjrQDC4/0rwdejDN85AcWYpXdOdS/Z7NrXenIWrkG+DCIck9DV5eim
gczENh7QIYj0sIMs8uXVxq94amUpBxVHsYxOaoccXxC5iOSsDEHLZ9ifn5v2ngy9
uXTSKbMNdy/hcZmBINIqN0gTM0j3kiL9z3T3XIkTZSsMpwGmwi1dRofkuVKqpZEz
Faw1tEXdc1aIfiLqTU5CCh35FpXyYmmyDdd9kcjmhAK5jbg1HlE5OjjfZnPn9/5p
q5SAaz5lwUPWh0eTo1ef1wl4V85849EuLnPBrXPYlNgQFxkBIVihj4p3jbIwX616
JiePONAwg0WBVML/i9vg
=u2n3
-----END PGP SIGNATURE-----


Reply to: