You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Todd N <to...@yahoo.com> on 2008/05/03 01:49:47 UTC

Spamassassin 3.1.1 and latest Fedora Perl update

Hello,
   
  Recently, on 4/30/2008, Perl update 5.8.8-39 for Fedora was released which addresses the following:
   
  Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1927 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927> to the following vulnerability: Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.
   
  We are using Spamassassin 3.1.1.  It is urgent that I find out whether this update is relevant to our environment.  Is Spamassassin vulnerable to the issue that this update addresses?  Any answers would be greatly appreciated.
   
  Thanks,
  Todd

       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

Re: Spamassassin 3.1.1 and latest Fedora Perl update

Posted by John Hardin <jh...@impsec.org>.

On Fri, 2 May 2008, Todd N wrote:

>  Double free vulnerability in Perl 5.8.8 allows context-dependent
>  attackers to cause a denial of service (memory corruption and crash)
>  via a crafted regular expression containing UTF8 characters.
>
>  We are using Spamassassin 3.1.1.  It is urgent that I find out whether
>  this update is relevant to our environment.  Is Spamassassin vulnerable
>  to the issue that this update addresses?  Any answers would be greatly
>  appreciated.

Not likely. SA doesn't interpret REs in the message, so how would an 
attacker submit a malicious RE?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Usually Microsoft doesn't develop products, we buy products.
                           -- Arno Edelmann, Microsoft product manager
-----------------------------------------------------------------------
  6 days until the 63rd anniversary of VE day