It was discovered [1] that there's a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation [2]. Email::Address::parse uses significant time on parsing empty quoted string, as allowed by RFC 2822. Suggested fix was applied upstream as [3] contained in a new upstream version 1.905 [4] which contain additional commits [5] to avoid slowdowns. [1] http://seclists.org/oss-sec/2014/q2/563 [2] https://metacpan.org/release/Email-Address [3] https://github.com/rjbs/Email-Address/commit/83f8306 [4] https://metacpan.org/release/RJBS/Email-Address-1.905 [5] https://github.com/rjbs/Email-Address/blob/432d10e/Changes
Created perl-Email-Address tracking bugs for this issue: Affects: fedora-all [bug 1110724] Affects: epel-5 [bug 1110725] Affects: epel-6 [bug 1110726]
External References: (none)
perl-Email-Address-1.905-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-Email-Address-1.905-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
perl-Email-Address-1.905-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
perl-Email-Address-1.905-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.