Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 934140 (CVE-2024-28054) - mail-filter/amavisd-new: email parsing vulnerability
Summary: mail-filter/amavisd-new: email parsing vulnerability
Status: UNCONFIRMED
Alias: CVE-2024-28054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-12 12:44 UTC by Maxim Britov
Modified: 2024-06-18 06:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Maxim Britov 2024-06-12 12:44:41 UTC
amavisd-new-2.13.1 and amavisd-new-2.12.3 released on March 07, 2024

https://gitlab.com/amavis/amavis/-/blob/v2.13.1/README_FILES/README.CVE-2024-28054

https://gitlab.com/amavis/amavis/-/blob/v2.13.1/RELEASE_NOTES

amavis-2.13.1 release notes
This release addresses a security issue. Users are advised to upgrade
and adapt their configuration. Additional information can be found in
README_FILES/README.CVE-2024-28054.
NEW FEATURES
- Add CC_UNCHECKED minor content category for ambiguous multipart
  boundaries. Users are encouraged to defang or quarantine such emails.
  Thanks to Jiahe Zhang and Jianjun Chen from Tsinghua University and
  Zhongguancun Lab for reporting the issue confidentially.
  Issue: https://gitlab.com/amavis/amavis/issues/112
BUG FIXES
- Resolve double reporting of Amavis::Conf module version.
  Reported by @teoberi.
  Issue: https://gitlab.com/amavis/amavis/issues/100
  MR:    https://gitlab.com/amavis/amavis/merge_requests/100
- SmartOS `uptime` regex fix
  Reported by kb8zqz.
  On SmartOS (and maybe other Solaris / Illumos related distros?) the
  uptime command output includes () around the plural 's' in "days"
  (i.e. "day(s)").  Extend the regex to understand this.
  Issue: https://gitlab.com/amavis/amavis/issues/101
  MR:    https://gitlab.com/amavis/amavis/merge_requests/101
- Reestablish pre-2.13 exit-behaviour of one-shot actions.
  Issue: https://gitlab.com/amavis/amavis/issues/104
  MR:    https://gitlab.com/amavis/amavis/merge_requests/105
- Fix incorrect xz-archive mapping
  Issue: https://gitlab.com/amavis/amavis/issues/111
  MR:    https://gitlab.com/amavis/amavis/merge_requests/110

https://gitlab.com/amavis/amavis/-/blob/v2.12.3/RELEASE_NOTES
amavis-2.12.3 release notes
This release addresses a security issue. Users are advised to upgrade
and adapt their configuration. Additional information can be found in
README_FILES/README.CVE-2024-28054.
NEW FEATURES
- Add CC_UNCHECKED minor content category for ambiguous multipart
  boundaries. Users are encouraged to defang or quarantine such emails.
  Thanks to Jiahe Zhang and Jianjun Chen from Tsinghua University and
  Zhongguancun Lab for reporting the issue confidentially.
  Issue: https://gitlab.com/amavis/amavis/issues/112
BUG FIXES
- SmartOS `uptime` regex fix
  Reported by kb8zqz.
  On SmartOS (and maybe other Solaris / Illumos related distros?) the
  uptime command output includes () around the plural 's' in "days"
  (i.e. "day(s)").  Extend the regex to understand this.
  Issue: https://gitlab.com/amavis/amavis/issues/101
  MR:    https://gitlab.com/amavis/amavis/merge_requests/101
- Fix incorrect xz-archive mapping
  Issue: https://gitlab.com/amavis/amavis/issues/111
  MR:    https://gitlab.com/amavis/amavis/merge_requests/110
- Resolve "can't obtain a tainted string" warning.
  Reported by Marcel Evenson.
  Issue: https://gitlab.com/amavis/amavis/issues/85
  MR:    https://gitlab.com/amavis/amavis/merge_requests/91


Reproducible: Always