Package: ruby-mail Severity: important Tags: upstream fixed-upstream security
Rubysec advisory [1]: "Because the Mail Gem for Ruby does not validate or impose a length limit on email address fields, an attacker can modify messages sent with the gem via a specially-crafted recipient email address. Applications that validate email address format are not affected by this vulnerability. The recipient attack is described in Terada, Takeshi. "SMTP Injection via Recipient Email Addresses." 2015. The attacks described in the paper (Terada, p. 4) can be applied to the library without any modification." Upstream fix targeting 2.5 [2]; upstream fix targeting 2.6 [3]. [1] https://rubysec.com/advisories/mail-OSVDB-131677 [2] https://github.com/mikel/mail/pull/1099 [3] https://github.com/mikel/mail/pull/1098
signature.asc
Description: Digital signature
