[Fwd: Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3]

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Thu Jun 16 09:11:14 IST 2005


Folks

FYI

Oh and if anyone is still running SA 2.63 there's a DOS problem with it 
as well. Upgrade to 2.64 if you don't want to make to jump to 3.0.4

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


-------- Original Message --------
Subject: Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3
Date: Wed, 15 Jun 2005 13:00:46 -0700
From: Daniel Quinlan <quinlan at pathname.com>
Reply-To: users at spamassassin.apache.org
To: announce at spamassassin.apache.org
CC: users at spamassassin.apache.org, dev at spamassassin.apache.org

Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  The
vulnerability allows certain misformatted long message headers to cause
spam checking to take a very long time.

While the exploit has yet to be seen in the wild, we are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.0.4 as soon as possible.

This issue has been assigned CVE id CAN-2005-1266 [1].

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org.  For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[0]: 
http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/%3c20050606223631.GG11538@kluge.net%3e

[1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list