Bugzilla – Bug 883225
VUL-0: CVE-2014-0477: perl-Email-Address: Denial-of-Service in Email::Address::parse
Last modified: 2015-02-19 02:16:40 UTC
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 18 Jun 2014 07:19:15 +0200
Bastian Blank reported a denial of service vulnerability in
Email::Address, a Perl module for RFC 2822 address parsing and
creation. Email::Address::parse uses significant time on parsing
empty quoted string, as allowed by RFC 2822.
Fixed in upstream version 1.905 which contain additional commits to avoid slowdowns.
bugbot adjusting priority
I haven't touched this package (or Perl) in 7 years. I'm probably not the right person to assign this to.
Daniel, you're one of the bugowners, can you please take this one?
Next try. Can you please take care of this issue?
I know it's late, but I only recently realized that this was assigned to me.
I submitted mr 254516
I changed needinfo to email@example.com, after this is an security-issue.
This is an autogenerated message for OBS integration:
This bug (883225) was mentioned in
https://build.opensuse.org/request/show/254516 13.2+13.1+12.3 / perl-Email-Address+perl-Email-Address.openSUSE_13.2
openSUSE-SU-2014:1328-1: An update that fixes one vulnerability is now available.
Category: security (low)
Bug References: 883225
CVE References: CVE-2014-0477
openSUSE 13.1 (src): perl-Email-Address-1.899-2.4.1
openSUSE 12.3 (src): perl-Email-Address-1.892-11.4.1