You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2006/06/07 12:53:26 UTC

svn commit: r412363 - in /spamassassin/site/advisories: ./ cve-2006-2447.txt

Author: jm
Date: Wed Jun  7 03:53:26 2006
New Revision: 412363

URL: http://svn.apache.org/viewvc?rev=412363&view=rev
Log:
added vendor advisory info to our site

Added:
    spamassassin/site/advisories/
    spamassassin/site/advisories/cve-2006-2447.txt

Added: spamassassin/site/advisories/cve-2006-2447.txt
URL: http://svn.apache.org/viewvc/spamassassin/site/advisories/cve-2006-2447.txt?rev=412363&view=auto
==============================================================================
--- spamassassin/site/advisories/cve-2006-2447.txt (added)
+++ spamassassin/site/advisories/cve-2006-2447.txt Wed Jun  7 03:53:26 2006
@@ -0,0 +1,46 @@
+
+
+This is a heads-up on a remote command-execution vulnerability in
+Apache SpamAssassin, affecting versions 2.5x, 2.6x, 3.0.x, 3.1.x, and
+SVN trunk.  It has been assigned CVE-2006-2447, or bug 4926 in the SA
+bugzilla.  Details:
+
+- It only affects systems where spamd is used with vpopmail virtual
+  users, via the "-v" / "--vpopmail" switch, AND with the "-P" /
+  "--paranoid" switch. This is not default on any distro package, and
+  is not a common configuration. You are only vulnerable if *both* of
+  those switches are in use. Removing the "-P" / "--paranoid" switch
+  is an effective workaround with no significant side-efects.
+
+- It is a remote exploit on the spamd port, allowing attackers to
+  execute a command as the user spamd runs as if that is not root, or
+  as the user specified by the "-u" / "--username" option if spamd is
+  run as root
+
+- However, it provides a remote-root hole if spamd is run as root and
+  there is no "-u" / "--username" switch specified. This, again, is
+  less common, since this is defined as an unsupported configuration
+  in the spamd documentation.
+
+- If the spamd "-A" / "--allowed-ips" switch is used to restrict the
+  IP addresses allowed to access spamd, the exploit cannot be
+  performed from outside those ranges.
+
+- If the spamd "-A" / "--allowed-ips" switch is NOT used, the exploit
+  can only be performed from localhost [127.0.0.1].
+
+
+Workaround: remove the "-P" / "--paranoid" switch.  This avoids the
+bug entirely and has no significant noticeable side-effects.
+
+
+Fix: Fixed packages have been released as SpamAssassin 3.0.6 (for the
+3.0.x maintainance line) and SpamAssassin 3.1.3. 
+
+Further info: mail <security at SpamAssassin.apache.org>
+Announced: Jun 1 19:58 UTC
+Corrected: June 5, 15:00 UTC
+Affects: all versions before the correction date, after 2.50
+Credit: discovery of this vulnerability credited to Radoslaw Zielinski
+        <radek at pld-linux dot org>.
+