[Mimedefang] SECURITY: New release of MIME-tools
Dianne Skoll
dianne at skoll.ca
Thu Jan 25 11:52:41 EST 2024
Hi, everyone,
Before you panic: No, there is not a security vulnerability as such in
MIME-tools.
The MIME-Tools 5.513 release is available on CPAN; if it hasn't been
indexed yet, direct link is https://metacpan.org/release/DSKOLL/MIME-tools-5.513
This release adds a method called MIME::Parser->ambiguous_content()
which returns true if one or more of the following is true:
o A MIME part has more than one Content-Type, Content-ID,
Content-Transfer-Encoding or Content-Disposition header
o A Content-Type or Content-Disposition header contains a repeated
parameter.
An example of the latter would be:
Content-Type: multipart/mixed; boundary="foo"; boundary="bar"
In my opinion, messages with these kinds of ambiguities are a security
risk and should be quarantined or rejected by your filter.
For those of you who use Mailmunge (https://mailmunge.org):
I will shortly be making a Mailmunge release that adds a
Mailmunge::Context->ambiguous_content() method so you can update your
filter policies to handle ambiguous MIME messages.
Regards,
Dianne.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20240125/e8f06c5c/attachment.sig>
More information about the MIMEDefang
mailing list