Your message dated Sun, 18 Feb 2018 00:26:51 +0100
with message-id <20180217232651.GG2301@debian>
and subject line Re: [DRE-maint] Bug#864561: mitigated by a fix in ruby2.3 >=
2.3.3-1+deb9u1
has caused the Debian Bug report #864561,
regarding ruby-mail: vulnerable to SMTP Injection via recipient email addresses
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
864561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864561
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ruby-mail
Severity: important
Tags: upstream fixed-upstream security
Rubysec advisory [1]: "Because the Mail Gem for Ruby does not validate or
impose a length limit on email address fields, an attacker can modify
messages sent with the gem via a specially-crafted recipient email
address.
Applications that validate email address format are not affected by this
vulnerability.
The recipient attack is described in Terada, Takeshi. "SMTP Injection
via Recipient Email Addresses." 2015. The attacks described in the paper
(Terada, p. 4) can be applied to the library without any modification."
Upstream fix targeting 2.5 [2]; upstream fix targeting 2.6 [3].
[1] https://rubysec.com/advisories/mail-OSVDB-131677
[2] https://github.com/mikel/mail/pull/1099
[3] https://github.com/mikel/mail/pull/1098
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
On 17-11-30 13:53:20, Cédric Boutillier wrote:
> I could not reproduce the attack. The ruby2.3 interpreter in Debian
> received a patch preventing SMTP command injections
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864860
>
> So this package used in conjunction with the Debian version of the
> ruby interpreter in stretch or unstable/testing is not vulnerable.
Accordingly, mark this bug as done.
Cheers,
Georg
signature.asc
Description: Digital signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
