| Package | amavisd-new |
|---|---|
| Version | 1:2.10.1-4+deb9u1 (stretch), 1:2.11.0-6.1+deb10u1 (buster) |
| Related CVEs | CVE-2024-28054 |
Amavis has an interpretation conflict when there are ambiguous boundary delimiters in a MIME email message. An attacker can send crafted emails that avoid checks for banned files or malware.
Amavis now treats such emails as UNCHECKED, and this new behavior can be configured, see:
-
https://gitlab.com/amavis/amavis/-/blob/v2.12.3/RELEASE_NOTES
-
https://gitlab.com/amavis/amavis/-/blob/v2.12.3/README_FILES/README.CVE-2024-28054
For Debian 10 buster, these problems have been fixed in version 1:2.11.0-6.1+deb10u1.
For Debian 9 stretch, these problems have been fixed in version 1:2.10.1-4+deb9u1.
We recommend that you upgrade your amavisd-new packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.