Debian DLA-489-1 : ruby-mail security update

high Nessus Plugin ID 91325

Language:

Synopsis

The remote Debian host is missing a security update.

Description

This security update fixes a security issue in ruby-mail. We recommend you upgrade your ruby-mail package.

Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) released a whitepaper entitled 'SMTP Injection via recipient email addresses' ( http://www.mbsd.jp/Whitepaper/smtpi.pdf). This whitepaper has a section discussing how one such vulnerability affected the 'mail' ruby gem (see section 3.1).

Whitepaper has all the specific details, but basically the 'mail' ruby gem module is prone to the recipient attack as it does not validate nor sanitize given recipient addresses.
Thus, the attacks described in chapter 2 of the whitepaper can be applied to the gem without any modification. The 'mail' ruby gem itself does not impose a length limit on email addresses, so an attacker can send a long spam message via a recipient address unless there is a limit on the application's side. This vulnerability affects only the applications that lack input validation.

For Debian 7 'Wheezy', these problems have been fixed in version 2.4.4-2+deb7u1.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected ruby-mail package.

Plugin Details

Severity: High

ID: 91325

File Name: debian_DLA-489.nasl

Version: 2.5

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 5/26/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby-mail, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 5/25/2016

Detections

Analytics