Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B8F00200CD7 for ; Tue, 1 Aug 2017 20:31:32 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B769A165C2E; Tue, 1 Aug 2017 18:31:32 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2D54A165BC1 for ; Tue, 1 Aug 2017 20:31:32 +0200 (CEST) Received: (qmail 87248 invoked by uid 500); 1 Aug 2017 18:31:31 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 87146 invoked by uid 99); 1 Aug 2017 18:31:31 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Aug 2017 18:31:31 +0000 Received: from v45346.1blu.de (v45346.1blu.de [178.254.23.72]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id D3FED1A02C0; Tue, 1 Aug 2017 18:31:30 +0000 (UTC) Received: by v45346.1blu.de (Postfix, from userid 1000) id 76F40400063; Tue, 1 Aug 2017 20:31:29 +0200 (CEST) From: Stefan Bodewig To: dev@commons.apache.org, user@commons.apache.org, announce@apache.org, A.Williams.9@warwick.ac.uk, security@apache.org, oss-security@lists.openwall.com, bugtraq@securityfocus.com Subject: CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty Reply-To: user@commons.apache.org Date: Tue, 01 Aug 2017 20:31:29 +0200 Message-ID: <87lgn3nnr2.fsf@v45346.1blu.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable archived-at: Tue, 01 Aug 2017 18:31:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2017-9801: Apache Commons Email SMTP header injection vulnerabilty Severity: low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Email 1.0 to 1.4. Description: When a call-site passes a subject for an email that contains line-breaks, the caller can add arbitrary SMTP headers. Mitigation: Users should upgrade to Commons Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from the subject before passing it to the setSubject(String) method. Credit: This issue was discovered by =EF=BB=BFAdam Williams. References: http://commons.apache.org/proper/commons-email/security-reports.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlmAyP8ACgkQohFa4V9ri3K7XQCgj69yH9nkBGRVJBG9+0DS1jc8 GJUAnRZrLznaNRzokj08JGBMy5wwHNTt =3DoSDx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org For additional commands, e-mail: dev-help@commons.apache.org