Warning: recent vendor perl patch may harm MailScanner

Chris Sweeney csweeney at OSUBUCKS.ORG
Fri Dec 23 04:33:11 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Same here no problems with the Perl upgrade on RedHat ES 4

Chris


Denis Beauchemin wrote:

> Kai Schaetzl wrote:
>
>> SuSE has issued a perl patch on Dec. 19 for all its supported 
>> platforms which may cause you problems with MailScanner, be careful! 
>> It's the fix
>> SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962
>> Other vendors will probably push this important patch as well.
>>
>> Problems may only occur if you used CPAN to install some modules 
>> required by MailScanner.
>>
>> But I'm not convinced that it only affects those. Reason: That patch 
>> seems to either overwrite MIME::Base64 with the version current when 
>> the OS version was released (in this case 2.20) or write this 
>> information to some housekeeping file belonging to Perl. This clash 
>> could occur with rpm-installed MIME::Base64 as well.
>>
>> Symptoms: MailScanner dies with
>> MIME::Base64 object version 2.20 does not match bootstrap parameter 
>> 3.05 at /usr/lib/perl5/5.8.1/i586-linux-thread-multi/DynaLoader.pm 
>> line 249. Compilation failed in require at /usr/sbin/MailScanner line 
>> 55. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 59.
>>
>> You get the same error when opening the CPAN shell and just doing "i 
>> MIME::Base64" (LWP failed with code[500] message[MIME::Base64 object 
>> version 2.20 does not match bootstrap parameter 3.05]). It also says 
>> "strange package name" or so. I tried upgrading (via CPAN) to version 
>> 3.07 (current) of MIME::Base64 and when this didn't help installing 
>> all perl rpms coming with the MailScanner tar.gz. Nothing helped, 
>> even worse this made MailScanner grab memory ad infinitum. And 
>> Spamassassin make test as well. Only the abovementioned trick helped. 
>> Perl says now that the version of MIME::Base64 installed is 2.20 on 
>> the machine with a working (!) MailScanner and 3.0.5 on a machine 
>> where MailScanner doesn't work and where I did nothing to fix the 
>> problem.
>>
>> Going back to the last Perl patch version is obviously not 
>> recommended since the fixed problem is a serious one. This problem 
>> may indeed only occur under circumstances, but better beware!
>>
>> Julian, any thoughts on the nature of the problem and how to solve it 
>> and keep the patch?
>>
>>
>>
>>
>>
>> Kai
>>
>>  
>>
> Upgraded Perl on RHEL 3 and 4 servers yesterday running MS 4.47.4 and 
> 4.46.2 without any problem.  All is fine.  No error messages either.  
> All Perl modules bundled with MS were installed by MS (not CPAN).  
> MailScanner -v says:
> 3.05    MIME::Base64
>
> I guess Red Hat did it better than SuSE...
>
> Happy holidays to everybody!  I hope everyone will be able to forget 
> about the mail servers for at least a couple of days...  that includes 
> you, Julian... you deserve it!!!
>
> Denis
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list