Hi, everyone, Before you panic: No, there is not a security vulnerability as such in MIME-tools.
The MIME-Tools 5.513 release is available on CPAN; if it hasn't been indexed yet, direct link is https://metacpan.org/release/DSKOLL/MIME-tools-5.513 This release adds a method called MIME::Parser->ambiguous_content() which returns true if one or more of the following is true: o A MIME part has more than one Content-Type, Content-ID, Content-Transfer-Encoding or Content-Disposition header o A Content-Type or Content-Disposition header contains a repeated parameter. An example of the latter would be: Content-Type: multipart/mixed; boundary="foo"; boundary="bar" In my opinion, messages with these kinds of ambiguities are a security risk and should be quarantined or rejected by your filter. For those of you who use Mailmunge (https://mailmunge.org): I will shortly be making a Mailmunge release that adds a Mailmunge::Context->ambiguous_content() method so you can update your filter policies to handle ambiguous MIME messages. Regards, Dianne.
pgpjw_pfNcPKU.pgp
Description: OpenPGP digital signature
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. MIMEDefang mailing list [email protected] https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
