MailScanner ANNOUNCE: Stable release 4.74.12
MailScanner at ecs.soton.ac.uk
Sat Jan 3 11:13:10 GMT 2009
I have just released the first version for 2009, 4.74.
The main fix this time is that all the symlink vulnerabilities have been
fixed, though you were only ever vulnerable to these problems if you let
users interactively login (using ssh, for example) to your MailScanner
servers. If you restrict logins to system admins and other trusted
users, you would never have had a problem anyway.
Other than that, the SpamAssassin Rule Actions have been improved
slightly, in that the "header" action can now contain the magic word
"_TO_" which will be replaced by a list of all the original message
recipients, very useful if you don't deliver the message but instead
forward it to someone else for checking.
TNEF had been upgraded to 1.4.5.
Download as usual from www.mailscanner.info.
The full Change Log is this:
* New Features and Improvements *
1 Patch added to ClamAV & SpamAssassin easy-to-install package to make
Mail::ClamAV Perl module handle ClamAV 0.94 correctly.
Thanks to Steve Barber for telling me about this fix.
7 Upgraded to tnef 1.4.5.
9 The Spam Actions and its pals may now contain the "header" action with the
special keyword "_TO_" anywhere in the header value. This will be
by a comma-separated list of the original recipients of the message.
I wrote this for when I divert a message to the postmaster when it's
as spam, for example. Then you can put
Spam Actions = store forward postmaster at ecs.soton.ac.uk header
ere: Sent to _TO_"
I don't always want to include the list of recipients in the headers, as
others object to their privacy being violated by everyone receiving
list of recipients, so I can't use the "Add Envelope To Header". I *only*
want to add this information to spam messages, so I know to whom they
11 Another check to ensure it doesn't chmod /tmp on misconfigured systems.
* Fixes *
2 Major work on removing symlink attack vulnerabilities affecting
Note: This vulnerability only affected systems where normal
could log in to the system, or create arbitrary symlinks in your
So the ISP-style setups were never vulnerable, as they didn't allow
users to login or allow people to arbitrarily create symlinks in the
2 Removed symlink attack vulnerabilities in SpamAssassin and tnef handlers.
6-2 Re-release to fix filesize problems.
7-2 Added missing "use" statement to WorkArea.pm.
7-3 Added missing tnef to Other Unix tarball distribution.
Linux distributions unchanged.
8 Minor fix in handling of complicated "SpamAssassin Rule Actions".
10 Fixes for Locks creation bugs from Jeff Earickson. Non-RPM distribution
should work rather better now.
12 Tiny (but important) fix to mcafee-autoupdate so that it will work
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner