FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

amavisd-new -- multipart boundary confusion

Affected packages
amavisd-new < 2.12.3


VuXML ID 0a48e552-e470-11ee-99b3-589cfc0f81b0
Discovery 2024-03-14
Entry 2024-03-17

The Amavis project reports:

Emails which consist of multiple parts (`Content-Type: multipart/*`) incorporate boundary information stating at which point one part ends and the next part begins.

A boundary is announced by an Content-Type header's `boundary` parameter. To our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a parser should handle multiple boundary parameters that contain conflicting values. As a result, there is no canonical choice which of the values should or should not be used for mime part decomposition.


CVE Name CVE-2024-28054