Description: "The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing."
This seems to actually be a bug in Email-Address-List. Debian have tracked down the patches but 0.6 is fixed anyway. So, @maintainer(s), please cleanup =dev-perl/Email-Address-List-0.50.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5951fb95d5762ed1b84596148cdc3d441aac39f9 commit 5951fb95d5762ed1b84596148cdc3d441aac39f9 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2020-04-26 12:25:01 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2020-04-26 12:33:57 +0000 dev-perl/Email-Address-List: Security cleanup 0.50.0 re bug #719454 Removing versions affected by CVE-2018-18898 Bug: https://bugs.gentoo.org/719454 Bug: https://nvd.nist.gov/vuln/detail/CVE-2018-18898 Bug: https://www.cvedetails.com/cve/CVE-2018-18898/ Bug: https://docs.bestpractical.com/release-notes/rt/4.4.4 Package-Manager: Portage-2.3.97, Repoman-2.3.22 Signed-off-by: Kent Fredric <kentnl@gentoo.org> .../Email-Address-List-0.50.0.ebuild | 33 ---------------------- dev-perl/Email-Address-List/Manifest | 1 - 2 files changed, 34 deletions(-)
Cleanup done, over to sec to finish this off :)
(In reply to Kent Fredric (IRC: kent\n) from comment #3) > Cleanup done, over to sec to finish this off :) Thanks!