FreeBSD : rt42 -- denial-of-service attack via the email gateway (d1dfc4c7-8791-11e3-a371-6805ca0b3d42)

Medium Nessus Plugin ID 72155


The remote FreeBSD host is missing one or more security-related updates.


The RT development team reports :

Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to a denial-of-service attack via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This vulnerability is assigned CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the Email::Address::List module, which RT depends on. We recommend that affected users upgrade their version of Email::Address::List to v0.02 or above, which resolves the issue. Due to a communications mishap, the release on CPAN will temporarily appear as 'unauthorized,' and the command-line cpan client will hence not install it. We expect this to be resolved shortly; in the meantime, the release is also available from our server.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 72155

File Name: freebsd_pkg_d1dfc4c7879111e3a3716805ca0b3d42.nasl

Version: $Revision: 1.2 $

Type: local

Published: 2014/01/28

Modified: 2014/07/16

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:p5-Email-Address-List, p-cpe:/a:freebsd:freebsd:rt42, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2014/01/27

Vulnerability Publication Date: 2014/01/27

Reference Information

CVE: CVE-2014-1474