DescriptionAmavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
amavisd-new (PTS)buster1:2.11.0-6.1vulnerable
sid, trixie1:2.13.0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bookworm] - amavisd-new <no-dsa> (Minor issue; will be fixed via point release)
[bullseye] - amavisd-new <no-dsa> (Minor issue; will be fixed via point release)
[buster] - amavisd-new <postponed> (Minor issue; new configuration to spam-tag some broken e-mails; follow point release) (v2.13.1) (v2.13.1) (v2.13.1)
Patched amavisd-new version can use MIME::Entity->ambiguous_content if available
to get help on detecting an an ambiguous email or use an own ambiguous_content
check if the available MIME::Tools are too old.

Search for package or bug name: Reporting problems