Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Thu Jun 16 14:39:39 IST 2005


Ugo

2.63 is vulnerable to a different DOS problem, not the one annouced for 
3.0.[1-3]
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Ugo Bellavance wrote:
> Stephen Swaney wrote:
> 
>>FYI. A good reason to upgrade to SpamAssassin 3.0.4. Can someone confirm
>>that similar vulnerabilities exist in SpamAssassin 2.63 / 2.64
> 
> 
> From an earlier post from Martin Hepworth, 2.63 is vulnerable while 2.64
>  isn't.
> 
> Regards,
> 
> Ugo
> 
> 
>>
>>>From announce-return-9-paddy=panici.net at spamassassin.apache.org  Wed 
>>
>>>Jun 15 21:12:13 2005
>>>From: Daniel Quinlan <quinlan at pathname.com>
>>>To: announce at spamassassin.apache.org
>>>Subject: Denial of Service Vulnerability in Apache SpamAssassin 
>>>3.0.1-3.0.3
>>>
>>>Apache SpamAssassin 3.0.4 was recently released [0], and fixes a 
>>>denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  
>>>The vulnerability allows certain misformatted long message headers to 
>>>cause spam checking to take a very long time.
>>>
>>>While the exploit has yet to be seen in the wild, we are concerned 
>>>that there may be attempts to abuse the vulnerability in the future.
>>>Therefore, we strongly recommend all users of these versions upgrade 
>>>to Apache SpamAssassin 3.0.4 as soon as possible.
>>>
>>>This issue has been assigned CVE id CAN-2005-1266 [1].
>>>
>>>To contact the Apache SpamAssassin security team, please e-mail 
>>>security at spamassassin.apache.org.  For more information about 
>>>Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site.
>>>
>>>Apache SpamAssassin Security Team
>>>
>>>[0]: 
>>>http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/
>>>%3c20050606223631.GG11538 at kluge.net%3e
>>>
>>>[1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
>>
>>
>>Steve Swaney
>>President
>>Fort Systems Ltd.
>>www.fsl.com
>>steve.swaney at fsl.com 
>>
> 
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list