Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3

[Stephen Swaney]

FYI. A good reason to upgrade to SpamAssassin 3.0.4. Can someone confirm
that similar vulnerabilities exist in SpamAssassin 2.63 / 2.64

> From announce-return-9-paddy=panici.net at spamassassin.apache.org  Wed 
> Jun 15 21:12:13 2005
> From: Daniel Quinlan <quinlan at pathname.com>
> To: announce at spamassassin.apache.org
> Subject: Denial of Service Vulnerability in Apache SpamAssassin 
> 3.0.1-3.0.3
> 
> Apache SpamAssassin 3.0.4 was recently released [0], and fixes a 
> denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  
> The vulnerability allows certain misformatted long message headers to 
> cause spam checking to take a very long time.
> 
> While the exploit has yet to be seen in the wild, we are concerned 
> that there may be attempts to abuse the vulnerability in the future.
> Therefore, we strongly recommend all users of these versions upgrade 
> to Apache SpamAssassin 3.0.4 as soon as possible.
> 
> This issue has been assigned CVE id CAN-2005-1266 [1].
> 
> To contact the Apache SpamAssassin security team, please e-mail 
> security at spamassassin.apache.org.  For more information about 
> Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site.
> 
> Apache SpamAssassin Security Team
> 
> [0]: 
> http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/
> %3c20050606223631.GG11538 at kluge.net%3e
> 
> [1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

Steve Swaney
President
Fort Systems Ltd.
www.fsl.com
steve.swaney at fsl.com 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!