[Mimedefang] SECURITY: New release of MIME-tools

Dianne Skoll dianne at skoll.ca
Thu Jan 25 11:52:41 EST 2024


Hi, everyone,

Before you panic: No, there is not a security vulnerability as such in
MIME-tools.

The MIME-Tools 5.513 release is available on CPAN; if it hasn't been
indexed yet, direct link is https://metacpan.org/release/DSKOLL/MIME-tools-5.513

This release adds a method called MIME::Parser->ambiguous_content()
which returns true if one or more of the following is true:

o A MIME part has more than one Content-Type, Content-ID,
  Content-Transfer-Encoding or Content-Disposition header

o A Content-Type or Content-Disposition header contains a repeated
  parameter.

An example of the latter would be:

   Content-Type: multipart/mixed; boundary="foo"; boundary="bar"

In my opinion, messages with these kinds of ambiguities are a security
risk and should be quarantined or rejected by your filter.

For those of you who use Mailmunge (https://mailmunge.org):

I will shortly be making a Mailmunge release that adds a
Mailmunge::Context->ambiguous_content() method so you can update your
filter policies to handle ambiguous MIME messages.

Regards,

Dianne.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20240125/e8f06c5c/attachment.sig>


More information about the MIMEDefang mailing list