Apache Commons-Email, from version 1.0 to 1.4 inclusive, does not properly validate bounce addresses. If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. External References: http://openwall.com/lists/oss-security/2018/01/26/5 Upstream Revision: https://svn.apache.org/viewvc?view=revision&revision=1777030
Created apache-commons-email tracking bugs for this issue: Affects: fedora-all [bug 1540001]