You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2006/06/07 12:53:26 UTC
svn commit: r412363 - in /spamassassin/site/advisories: ./ cve-2006-2447.txt
Author: jm
Date: Wed Jun 7 03:53:26 2006
New Revision: 412363
URL: http://svn.apache.org/viewvc?rev=412363&view=rev
Log:
added vendor advisory info to our site
Added:
spamassassin/site/advisories/
spamassassin/site/advisories/cve-2006-2447.txt
Added: spamassassin/site/advisories/cve-2006-2447.txt
URL: http://svn.apache.org/viewvc/spamassassin/site/advisories/cve-2006-2447.txt?rev=412363&view=auto
==============================================================================
--- spamassassin/site/advisories/cve-2006-2447.txt (added)
+++ spamassassin/site/advisories/cve-2006-2447.txt Wed Jun 7 03:53:26 2006
@@ -0,0 +1,46 @@
+
+
+This is a heads-up on a remote command-execution vulnerability in
+Apache SpamAssassin, affecting versions 2.5x, 2.6x, 3.0.x, 3.1.x, and
+SVN trunk. It has been assigned CVE-2006-2447, or bug 4926 in the SA
+bugzilla. Details:
+
+- It only affects systems where spamd is used with vpopmail virtual
+ users, via the "-v" / "--vpopmail" switch, AND with the "-P" /
+ "--paranoid" switch. This is not default on any distro package, and
+ is not a common configuration. You are only vulnerable if *both* of
+ those switches are in use. Removing the "-P" / "--paranoid" switch
+ is an effective workaround with no significant side-efects.
+
+- It is a remote exploit on the spamd port, allowing attackers to
+ execute a command as the user spamd runs as if that is not root, or
+ as the user specified by the "-u" / "--username" option if spamd is
+ run as root
+
+- However, it provides a remote-root hole if spamd is run as root and
+ there is no "-u" / "--username" switch specified. This, again, is
+ less common, since this is defined as an unsupported configuration
+ in the spamd documentation.
+
+- If the spamd "-A" / "--allowed-ips" switch is used to restrict the
+ IP addresses allowed to access spamd, the exploit cannot be
+ performed from outside those ranges.
+
+- If the spamd "-A" / "--allowed-ips" switch is NOT used, the exploit
+ can only be performed from localhost [127.0.0.1].
+
+
+Workaround: remove the "-P" / "--paranoid" switch. This avoids the
+bug entirely and has no significant noticeable side-effects.
+
+
+Fix: Fixed packages have been released as SpamAssassin 3.0.6 (for the
+3.0.x maintainance line) and SpamAssassin 3.1.3.
+
+Further info: mail <security at SpamAssassin.apache.org>
+Announced: Jun 1 19:58 UTC
+Corrected: June 5, 15:00 UTC
+Affects: all versions before the correction date, after 2.50
+Credit: discovery of this vulnerability credited to Radoslaw Zielinski
+ <radek at pld-linux dot org>.
+