ID DSA-2969 Type debian Reporter Debian Modified 2014-06-27T00:00:00
Description
Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse used significant time on parsing empty quoted strings. A remote attacker able to supply specifically crafted input to an application using Email::Address for parsing, could use this flaw to mount a denial of service attack against the application.
For the stable distribution (wheezy), this problem has been fixed in version 1.895-1+deb7u1.
For the testing distribution (jessie), this problem has been fixed in version 1.905-1.
For the unstable distribution (sid), this problem has been fixed in version 1.905-1.
We recommend that you upgrade your libemail-address-perl packages.
{"modified": "2014-06-27T00:00:00", "id": "DSA-2969", "edition": 1, "title": "libemail-address-perl -- security update", "viewCount": 0, "objectVersion": "1.2", "description": "Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse used significant time on parsing empty quoted strings. A remote attacker able to supply specifically crafted input to an application using Email::Address for parsing, could use this flaw to mount a denial of service attack against the application.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.895-1+deb7u1.\n\nFor the testing distribution (jessie), this problem has been fixed in version 1.905-1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1.905-1.\n\nWe recommend that you upgrade your libemail-address-perl packages.", "type": "debian", "lastseen": "2016-09-02T18:36:14", "affectedPackage": [{"packageVersion": "1.895-1+deb7u1", "packageFilename": "libemail-address-perl_1.895-1+deb7u1_all.deb", "OS": "Debian GNU/Linux", "arch": "all", "OSVersion": "7", "operator": "lt", "packageName": "libemail-address-perl"}], "history": [], "href": "http://www.debian.org/security/dsa-2969", "hash": "36989021117f244a045a6b16938538605022d9112cc7d12f33c39f7e10b850a3", "published": "2014-06-27T00:00:00", "reporter": "Debian", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "references": [], "bulletinFamily": "unix", "cvelist": ["CVE-2014-4720", "CVE-2014-0477"], "enchantments": {"vulnersScore": 5.0}}
{"result": {"cve": [{"id": "CVE-2014-4720", "type": "cve", "title": "CVE-2014-4720", "description": "Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to \"backtracking into the phrase,\" a different vulnerability than CVE-2014-0477.", "published": "2014-07-06T19:55:02", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4720", "cvelist": ["CVE-2014-4720"], "lastseen": "2016-09-03T20:43:00"}, {"id": "CVE-2014-0477", "type": "cve", "title": "CVE-2014-0477", "description": "The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address.", "published": "2014-07-03T13:55:05", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0477", "cvelist": ["CVE-2014-0477"], "lastseen": "2016-09-03T19:51:54"}], "zdt": [{"id": "1337DAY-ID-22680", "type": "zdt", "title": "TP-LINK WDR4300 XSS / Denial Of Service Vulnerabilities", "description": "TP-LINK WDR4300 suffers from cross site scripting and denial of service vulnerabilities.", "published": "2014-09-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/22680", "cvelist": ["CVE-2014-4727", "CVE-2014-4720"], "lastseen": "2018-04-09T07:45:31"}], "nessus": [{"id": "DEBIAN_DSA-2969.NASL", "type": "nessus", "title": "Debian DSA-2969-1 : libemail-address-perl - security update", "description": "Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse used significant time on parsing empty quoted strings. A remote attacker able to supply specifically crafted input to an application using Email::Address for parsing, could use this flaw to mount a denial of service attack against the application.", "published": "2014-06-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76286", "cvelist": ["CVE-2014-4720", "CVE-2014-0477"], "lastseen": "2017-10-29T13:45:04"}, {"id": "MANDRIVA_MDVSA-2014-192.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : perl-Email-Address (MDVSA-2014:192)", "description": "Updated perl-Email-Address package fixes security vulnerability :\n\nThe parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address (CVE-2014-0477).\n\nThe Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to backtracking into the phrase (CVE-2014-4720).", "published": "2014-10-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=78018", "cvelist": ["CVE-2014-4720", "CVE-2014-0477"], "lastseen": "2017-10-29T13:38:46"}, {"id": "FEDORA_2014-7613.NASL", "type": "nessus", "title": "Fedora 20 : perl-Email-Address-1.905-1.fc20 (2014-7613)", "description": "Update to 1.905 to fix CVE-2014-0477.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-09-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=77947", "cvelist": ["CVE-2014-0477"], "lastseen": "2017-10-29T13:34:19"}, {"id": "FEDORA_2014-7610.NASL", "type": "nessus", "title": "Fedora 19 : perl-Email-Address-1.905-1.fc19 (2014-7610)", "description": "Update to 1.905 to fix CVE-2014-0477.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-09-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=77946", "cvelist": ["CVE-2014-0477"], "lastseen": "2017-10-29T13:38:34"}, {"id": "OPENSUSE-2014-604.NASL", "type": "nessus", "title": "openSUSE Security Update : perl-Email-Address (openSUSE-SU-2014:1328-1)", "description": "This update fixes a denial of service vulnerability when parsing an empty quoted string (CVE-2014-0477)", "published": "2014-10-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=78720", "cvelist": ["CVE-2014-0477"], "lastseen": "2017-10-29T13:36:45"}], "openvas": [{"id": "OPENVAS:1361412562310868209", "type": "openvas", "title": "Fedora Update for perl-Email-Address FEDORA-2014-7610", "description": "Check for the Version of perl-Email-Address", "published": "2014-10-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868209", "cvelist": ["CVE-2014-0477"], "lastseen": "2018-04-09T11:11:48"}, {"id": "OPENVAS:1361412562310702969", "type": "openvas", "title": "Debian Security Advisory DSA 2969-1 (libemail-address-perl - security update)", "description": "Bastian Blank reported a denial of service vulnerability in\nEmail::Address, a Perl module for RFC 2822 address parsing and creation.\nEmail::Address::parse used significant time on parsing empty quoted\nstrings. A remote attacker able to supply specifically crafted input to\nan application using Email::Address for parsing, could use this flaw to\nmount a denial of service attack against the application.", "published": "2014-06-27T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702969", "cvelist": ["CVE-2014-0477"], "lastseen": "2018-04-06T11:12:51"}, {"id": "OPENVAS:702969", "type": "openvas", "title": "Debian Security Advisory DSA 2969-1 (libemail-address-perl - security update)", "description": "Bastian Blank reported a denial of service vulnerability in\nEmail::Address, a Perl module for RFC 2822 address parsing and creation.\nEmail::Address::parse used significant time on parsing empty quoted\nstrings. A remote attacker able to supply specifically crafted input to\nan application using Email::Address for parsing, could use this flaw to\nmount a denial of service attack against the application.", "published": "2014-06-27T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=702969", "cvelist": ["CVE-2014-0477"], "lastseen": "2017-07-28T10:49:02"}, {"id": "OPENVAS:1361412562310868219", "type": "openvas", "title": "Fedora Update for perl-Email-Address FEDORA-2014-7613", "description": "Check for the Version of perl-Email-Address", "published": "2014-10-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868219", "cvelist": ["CVE-2014-0477"], "lastseen": "2018-04-09T11:13:26"}]}}