Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use
of MIME-tools, has an Interpretation Conflict (relative to some mail user
agents) when there are multiple boundary parameters in a MIME email
message. Consequently, there can be an incorrect check for banned files or
malware.
Author | Note |
---|---|
mdeslaur | The d921bc52 commit allows using ambiguous_content from libmime-tools-perl 5.514 if it is available. That version is only in noble+, but the previous commit will still work. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | amavisd-new | < any | UNKNOWN |
ubuntu | 20.04 | noarch | amavisd-new | < 1:2.11.0-6.1ubuntu1.1 | UNKNOWN |
ubuntu | 22.04 | noarch | amavisd-new | < 1:2.12.2-1ubuntu1.1 | UNKNOWN |
ubuntu | 23.10 | noarch | amavisd-new | < 1:2.13.0-3ubuntu1.1 | UNKNOWN |
ubuntu | 24.04 | noarch | amavisd-new | < 1:2.13.0-3ubuntu2 | UNKNOWN |
ubuntu | 14.04 | noarch | amavisd-new | < any | UNKNOWN |
ubuntu | 16.04 | noarch | amavisd-new | < any | UNKNOWN |
gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054
launchpad.net/bugs/cve/CVE-2024-28054
lists.amavis.org/pipermail/amavis-users/2024-March/006811.html
metacpan.org/pod/MIME::Tools
nvd.nist.gov/vuln/detail/CVE-2024-28054
security-tracker.debian.org/tracker/CVE-2024-28054
ubuntu.com/security/notices/USN-6790-1
www.amavis.org/release-notes.txt
www.cve.org/CVERecord?id=CVE-2024-28054