You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Todd N <to...@yahoo.com> on 2008/05/03 01:49:47 UTC
Spamassassin 3.1.1 and latest Fedora Perl update
Hello,
Recently, on 4/30/2008, Perl update 5.8.8-39 for Fedora was released which addresses the following:
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1927 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927> to the following vulnerability: Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.
We are using Spamassassin 3.1.1. It is urgent that I find out whether this update is relevant to our environment. Is Spamassassin vulnerable to the issue that this update addresses? Any answers would be greatly appreciated.
Thanks,
Todd
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: Spamassassin 3.1.1 and latest Fedora Perl update
Posted by John Hardin <jh...@impsec.org>.
On Fri, 2 May 2008, Todd N wrote:
> Double free vulnerability in Perl 5.8.8 allows context-dependent
> attackers to cause a denial of service (memory corruption and crash)
> via a crafted regular expression containing UTF8 characters.
>
> We are using Spamassassin 3.1.1. It is urgent that I find out whether
> this update is relevant to our environment. Is Spamassassin vulnerable
> to the issue that this update addresses? Any answers would be greatly
> appreciated.
Not likely. SA doesn't interpret REs in the message, so how would an
attacker submit a malicious RE?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Usually Microsoft doesn't develop products, we buy products.
-- Arno Edelmann, Microsoft product manager
-----------------------------------------------------------------------
6 days until the 63rd anniversary of VE day