Warning: recent vendor perl patch may harm MailScanner
Denis Beauchemin
Denis.Beauchemin at USHERBROOKE.CA
Thu Dec 22 14:23:31 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Kai Schaetzl wrote:
>SuSE has issued a perl patch on Dec. 19 for all its supported platforms
>which may cause you problems with MailScanner, be careful! It's the fix
>SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962
>Other vendors will probably push this important patch as well.
>
>Problems may only occur if you used CPAN to install some modules required
>by MailScanner.
>
>But I'm not convinced that it only affects those. Reason: That patch seems
>to either overwrite MIME::Base64 with the version current when the OS
>version was released (in this case 2.20) or write this information to some
>housekeeping file belonging to Perl. This clash could occur with
>rpm-installed MIME::Base64 as well.
>
>Symptoms: MailScanner dies with
>MIME::Base64 object version 2.20 does not match bootstrap parameter 3.05
>at /usr/lib/perl5/5.8.1/i586-linux-thread-multi/DynaLoader.pm line 249.
>Compilation failed in require at /usr/sbin/MailScanner line 55.
>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 59.
>
>You get the same error when opening the CPAN shell and just doing
>"i MIME::Base64" (LWP failed with code[500] message[MIME::Base64 object
>version 2.20 does not match bootstrap parameter 3.05]). It also says
>"strange package name" or so. I tried upgrading (via CPAN) to version 3.07
>(current) of MIME::Base64 and when this didn't help installing all perl
>rpms coming with the MailScanner tar.gz. Nothing helped, even worse this
>made MailScanner grab memory ad infinitum. And Spamassassin make test as
>well. Only the abovementioned trick helped. Perl says now that the version
>of MIME::Base64 installed is 2.20 on the machine with a working (!)
>MailScanner and 3.0.5 on a machine where MailScanner doesn't work and
>where I did nothing to fix the problem.
>
>Going back to the last Perl patch version is obviously not recommended
>since the fixed problem is a serious one. This problem may indeed only
>occur under circumstances, but better beware!
>
>Julian, any thoughts on the nature of the problem and how to solve it and
>keep the patch?
>
>
>
>
>
>Kai
>
>
>
Upgraded Perl on RHEL 3 and 4 servers yesterday running MS 4.47.4 and
4.46.2 without any problem. All is fine. No error messages either.
All Perl modules bundled with MS were installed by MS (not CPAN).
MailScanner -v says:
3.05 MIME::Base64
I guess Red Hat did it better than SuSE...
Happy holidays to everybody! I hope everyone will be able to forget
about the mail servers for at least a couple of days... that includes
you, Julian... you deserve it!!!
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x2252 F: 819.821.8045
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list