Bug#868170: libemail-address-perl: Email::Address->parse() is vulnerable to CVE-2015-7686
Pali Rohár
pali.rohar at gmail.com
Thu Jul 13 14:51:56 UTC 2017
On Thursday 13 July 2017 16:47:34 gregor herrmann wrote:
> On Thu, 13 Jul 2017 15:21:06 +0200, Pali Rohár wrote:
>
> > On Thursday 13 July 2017 15:08:38 Salvatore Bonaccorso wrote:
> > > This IMHO is no reason to mark it as severity grave.
> > Debian Security Team suggested to add severity grave, so I did it.
>
> Salvatore is part of the Debian Security Team.
>
> This CVE is also already tracked by them since some time:
> https://security-tracker.debian.org/tracker/CVE-2015-7686
> (Note the "<no-dsa> (Minor issue)")
>
> Please also note that replacing Email::Address with ::XS might be a
> worthwhile goal in unstable and for buster
At least some step forward.
> but it wont't happen for (jessie or) stretch.
I have no idea what can be done with jessie or stretch as I do not think
that fixing Email::Address is possible without introducing another
hidden problem or adding new incompatibility against RFCs...
--
Pali Rohár
pali.rohar at gmail.com
More information about the pkg-perl-maintainers
mailing list