934140 – (CVE-2024-28054) mail-filter/amavisd-new: email parsing vulnerability

Bug 934140 (CVE-2024-28054) - mail-filter/amavisd-new: email parsing vulnerability

Summary: mail-filter/amavisd-new: email parsing vulnerability

Status:	UNCONFIRMED

Alias:	CVE-2024-28054

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2024-06-12 12:44 UTC by Maxim Britov
Modified:	2024-06-18 06:33 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maxim Britov 2024-06-12 12:44:41 UTC

amavisd-new-2.13.1 and amavisd-new-2.12.3 released on March 07, 2024

https://gitlab.com/amavis/amavis/-/blob/v2.13.1/README_FILES/README.CVE-2024-28054

https://gitlab.com/amavis/amavis/-/blob/v2.13.1/RELEASE_NOTES

amavis-2.13.1 release notes
This release addresses a security issue. Users are advised to upgrade
and adapt their configuration. Additional information can be found in
README_FILES/README.CVE-2024-28054.
NEW FEATURES
- Add CC_UNCHECKED minor content category for ambiguous multipart
  boundaries. Users are encouraged to defang or quarantine such emails.
  Thanks to Jiahe Zhang and Jianjun Chen from Tsinghua University and
  Zhongguancun Lab for reporting the issue confidentially.
  Issue: https://gitlab.com/amavis/amavis/issues/112
BUG FIXES
- Resolve double reporting of Amavis::Conf module version.
  Reported by @teoberi.
  Issue: https://gitlab.com/amavis/amavis/issues/100
  MR:    https://gitlab.com/amavis/amavis/merge_requests/100
- SmartOS `uptime` regex fix
  Reported by kb8zqz.
  On SmartOS (and maybe other Solaris / Illumos related distros?) the
  uptime command output includes () around the plural 's' in "days"
  (i.e. "day(s)").  Extend the regex to understand this.
  Issue: https://gitlab.com/amavis/amavis/issues/101
  MR:    https://gitlab.com/amavis/amavis/merge_requests/101
- Reestablish pre-2.13 exit-behaviour of one-shot actions.
  Issue: https://gitlab.com/amavis/amavis/issues/104
  MR:    https://gitlab.com/amavis/amavis/merge_requests/105
- Fix incorrect xz-archive mapping
  Issue: https://gitlab.com/amavis/amavis/issues/111
  MR:    https://gitlab.com/amavis/amavis/merge_requests/110

https://gitlab.com/amavis/amavis/-/blob/v2.12.3/RELEASE_NOTES
amavis-2.12.3 release notes
This release addresses a security issue. Users are advised to upgrade
and adapt their configuration. Additional information can be found in
README_FILES/README.CVE-2024-28054.
NEW FEATURES
- Add CC_UNCHECKED minor content category for ambiguous multipart
  boundaries. Users are encouraged to defang or quarantine such emails.
  Thanks to Jiahe Zhang and Jianjun Chen from Tsinghua University and
  Zhongguancun Lab for reporting the issue confidentially.
  Issue: https://gitlab.com/amavis/amavis/issues/112
BUG FIXES
- SmartOS `uptime` regex fix
  Reported by kb8zqz.
  On SmartOS (and maybe other Solaris / Illumos related distros?) the
  uptime command output includes () around the plural 's' in "days"
  (i.e. "day(s)").  Extend the regex to understand this.
  Issue: https://gitlab.com/amavis/amavis/issues/101
  MR:    https://gitlab.com/amavis/amavis/merge_requests/101
- Fix incorrect xz-archive mapping
  Issue: https://gitlab.com/amavis/amavis/issues/111
  MR:    https://gitlab.com/amavis/amavis/merge_requests/110
- Resolve "can't obtain a tainted string" warning.
  Reported by Marcel Evenson.
  Issue: https://gitlab.com/amavis/amavis/issues/85
  MR:    https://gitlab.com/amavis/amavis/merge_requests/91


Reproducible: Always