FreeBSD : rt42 -- denial-of-service attack via the email gateway (d1dfc4c7-8791-11e3-a371-6805ca0b3d42)

medium Nessus Plugin ID 72155

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The RT development team reports :

Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to a denial-of-service attack via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This vulnerability is assigned CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the Email::Address::List module, which RT depends on. We recommend that affected users upgrade their version of Email::Address::List to v0.02 or above, which resolves the issue. Due to a communications mishap, the release on CPAN will temporarily appear as 'unauthorized,' and the command-line cpan client will hence not install it. We expect this to be resolved shortly; in the meantime, the release is also available from our server.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?c21c8430

http://www.nessus.org/u?5626e64e

Plugin Details

Severity: Medium

ID: 72155

File Name: freebsd_pkg_d1dfc4c7879111e3a3716805ca0b3d42.nasl

Version: 1.5

Type: local

Published: 1/28/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:p5-email-address-list, p-cpe:/a:freebsd:freebsd:rt42, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/27/2014

Vulnerability Publication Date: 1/27/2014

Reference Information

CVE: CVE-2014-1474