CVE-2024-28054
Published: 18 March 2024
Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.
Notes
Author | Note |
---|---|
mdeslaur | The d921bc52 commit allows using ambiguous_content from libmime-tools-perl 5.514 if it is available. That version is only in noble+, but the previous commit will still work. |
Priority
Status
Package | Release | Status |
---|---|---|
amavisd-new Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Released
(1:2.11.0-6.1ubuntu1.1)
|
|
jammy |
Released
(1:2.12.2-1ubuntu1.1)
|
|
mantic |
Released
(1:2.13.0-3ubuntu1.1)
|
|
noble |
Released
(1:2.13.0-3ubuntu2)
|
|
trusty |
Needs triage
|
|
upstream |
Released
(1:2.13.0-5)
|
|
xenial |
Needs triage
|
|
Patches: upstream: https://gitlab.com/amavis/amavis/commit/78c4b7076ebf1d711629a95860aae1bc0db5277a upstream: https://gitlab.com/amavis/amavis/commit/d921bc5208ce5b4e8f3e387a1d4e1f8fa4e85008 upstream: https://gitlab.com/amavis/amavis/commit/c6c4a4c27c60194b68b617b7d3cfb033d6c587e2 |
References
- https://www.amavis.org/release-notes.txt
- https://metacpan.org/pod/MIME::Tools
- https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054
- https://lists.amavis.org/pipermail/amavis-users/2024-March/006811.html
- https://www.cve.org/CVERecord?id=CVE-2024-28054
- https://ubuntu.com/security/notices/USN-6790-1
- NVD
- Launchpad
- Debian