Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 13 15:36:09 UTC 2017
Hi
On Thu, Jul 13, 2017 at 03:21:06PM +0200, Pali Rohár wrote:
> On Thursday 13 July 2017 15:08:38 Salvatore Bonaccorso wrote:
> > This IMHO is no reason to mark it as severity grave.
>
> Debian Security Team suggested to add severity grave, so I did it.
Yes, I know the initial reply to you was done by Moritz (Cc'ed). I
discussed that with him shortly offlist, and since the algorithmic
complexitiy vulnerability, as per CVE assigned, is considered minor
(and is e.g. workarounded in request-tracker4), decided for the above
statement. 1.908 furthremore mitigates the problem (but OTOH then as
consequence misparses certain realistic comments).
The replacement goal is certainly worthwhile for Debian buster, but
the mentioned steps are first needed for the roadmap. In particular as
initial step we need a packaged libemail-address-xs-perl. Volunteers?
;-)
Regards and hope this clarifies,
Salvatore
More information about the pkg-perl-maintainers
mailing list