From ${URL} : It was discovered [1] that there's a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation[2]. Email::Address::parse uses significant time on parsing empty quoted string, as allowed by RFC 2822. Suggested fix was applied upstream as [3] contained in a new upstream version 1.905[4] which contain additional commits to avoid slowdowns. [1] http://seclists.org/oss-sec/2014/q2/563 [2] https://metacpan.org/release/Email-Address [3] https://github.com/rjbs/Email-Address/commit/83f8306117115729ac9346523762c0c396251eb5 [4] https://github.com/rjbs/Email-Address/blob/master/Changes @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-0477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0477): The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address.
@Security, please vote.
GLSA vote: no
GLSA vote: no,