oss-sec mailing list archives

CVE request: two flaws fixed in rubygem-mail 2.4.4

From: Vincent Danen <vdanen () redhat com>
Date: Wed, 25 Apr 2012 15:06:10 -0600


Two flaws were corrected in rubygem-mail version 2.4.4:

A file system traversal in file_delivery method [1].

Arbitrary command execution when using exim or sendmail from the commandline [2],[3].

[1] https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f
[2] https://github.com/mikel/mail/commit/36b7fa23d38cb59dd79b7efa258ef0e7ddab5a11
[3] https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2

Other references:

https://bugzilla.novell.com/show_bug.cgi?id=759092
https://bugzilla.redhat.com/show_bug.cgi?id=816352

Could two CVEs be assigned for these flaws please?

--

Vincent Danen / Red Hat Security Response Team

Current thread:

CVE request: two flaws fixed in rubygem-mail 2.4.4 Vincent Danen (Apr 25)
- Re: CVE request: two flaws fixed in rubygem-mail 2.4.4 Kurt Seifried (Apr 25)