You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Tuyen DINH <tu...@laposte.net> on 2005/06/24 19:45:52 UTC

is Spamassassin 3.0.0 vulnerable to the lastest Denial of Service Vulnerability ?

Hello,

According to the lastest announce, SpamAssassin from version 3.0.1 to
3.0.3 is subject to a Denial of Service Vulnerability.

This french advisory says it concerns prior versions of 3.0.3.
http://www.certa.ssi.gouv.fr/site/CERTA-2005-AVI-225/index.html


So is Spamassassin 3.0.0 vulnerable ?

My version :
$ cat /etc/mandrake-release
Mandrakelinux release 10.1 (Official) for i586
$ rpm -q spamassassin
spamassassin-3.0.0-1mdk


Regards.

Re: is Spamassassin 3.0.0 vulnerable to the lastest Denial of Service Vulnerability ?

Posted by jdow <jd...@earthlink.net>.

From: "Matt Kettler" <mk...@evi-inc.com>
> Theo Van Dinter wrote:
> > On Fri, Jun 24, 2005 at 07:45:52PM +0200, Tuyen DINH wrote:
> >
> >>According to the lastest announce, SpamAssassin from version 3.0.1 to
> >>3.0.3 is subject to a Denial of Service Vulnerability.
> >>
> >>So is Spamassassin 3.0.0 vulnerable ?
> >
> >
> > Is 3.0.0 between 3.0.1 and 3.0.3 ?  ;)
> >
>
> I think the intent was to confirm this vulnerability really did only
affect
> 3.0.1-3.0.3 and was not a typo.
>
> AFAIK there are only 3 semi-recent SA versions with no DoS
vulnerabilities:
>
> 3.0.4
> 3.0.0
> 2.64
>
> 3.0.3-3.0.1 are vulnerable to CAN-2005-1266
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
>
> 2.63-2.50 are vulnerable to CAN-2004-0796
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796
>
> I can't tell you about any pre 2.50 DoS'es as I don't keep track of them
that
> far back :)

Besides, 3.0.0 is a DoS attack on itself, isn't it?

{O,o}    <- crazed

Re: is Spamassassin 3.0.0 vulnerable to the lastest Denial of Service Vulnerability ?

Posted by Matt Kettler <mk...@evi-inc.com>.

Theo Van Dinter wrote:
> On Fri, Jun 24, 2005 at 07:45:52PM +0200, Tuyen DINH wrote:
> 
>>According to the lastest announce, SpamAssassin from version 3.0.1 to
>>3.0.3 is subject to a Denial of Service Vulnerability.
>>
>>So is Spamassassin 3.0.0 vulnerable ?
> 
> 
> Is 3.0.0 between 3.0.1 and 3.0.3 ?  ;)
> 

I think the intent was to confirm this vulnerability really did only affect
3.0.1-3.0.3 and was not a typo.

AFAIK there are only 3 semi-recent SA versions with no DoS vulnerabilities:

3.0.4
3.0.0
2.64

3.0.3-3.0.1 are vulnerable to CAN-2005-1266
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

2.63-2.50 are vulnerable to CAN-2004-0796
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

I can't tell you about any pre 2.50 DoS'es as I don't keep track of them that
far back :)

Re: is Spamassassin 3.0.0 vulnerable to the lastest Denial of Service Vulnerability ?

Posted by Theo Van Dinter <fe...@apache.org>.

On Fri, Jun 24, 2005 at 07:45:52PM +0200, Tuyen DINH wrote:
> According to the lastest announce, SpamAssassin from version 3.0.1 to
> 3.0.3 is subject to a Denial of Service Vulnerability.
> 
> So is Spamassassin 3.0.0 vulnerable ?

Is 3.0.0 between 3.0.1 and 3.0.3 ?  ;)

-- 
Randomly Generated Tagline:
"Brevity is the soul of lingerie." - Dorothy Parker