[Rt-commit] rt branch, 4.2-trunk, updated. rt-4.2.4-12-g51dec00

Alex Vandiver alexmv at bestpractical.com
Fri May 16 11:45:42 EDT 2014


The branch, 4.2-trunk has been updated
       via  51dec003a99d39555b89c7ef55169b99414059a3 (commit)
       via  aa3be30385dc0e065e758fe0476952f25224654c (commit)
      from  1d1d736881ecaac291e7d200d3fc5e5cf2157653 (commit)

Summary of changes:
 sbin/rt-test-dependencies.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

- Log -----------------------------------------------------------------
commit aa3be30385dc0e065e758fe0476952f25224654c
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Jan 15 20:14:17 2014 -0500

    Require newer Email::Address::List to prevent denial of service
    
    Email::Address::List contained a regular expression which was
    susceptible to a quadratic-time increase in runtime on some
    incorrectly-formed strings; this allowed constructed emails to subject
    RT to a denial-of-service attack.  Require a newer version of the
    module, which alters the regular expression to no longer contain such a
    pessimized case.
    
    This resolves CVE-2014-1474.

diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in
index f852cbb..a39988a 100644
--- a/sbin/rt-test-dependencies.in
+++ b/sbin/rt-test-dependencies.in
@@ -196,7 +196,7 @@ Digest::base
 Digest::MD5 2.27
 Digest::SHA
 Email::Address 1.897
-Email::Address::List
+Email::Address::List 0.02
 Encode 2.39
 Errno
 File::Glob

commit 51dec003a99d39555b89c7ef55169b99414059a3
Merge: 1d1d736 aa3be30
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Fri May 16 11:44:59 2014 -0400

    Merge branch 'security/4.2/email-address-list' into 4.2-trunk


-----------------------------------------------------------------------


More information about the rt-commit mailing list