reminder: remote DoS vulnerability for those 2.50 through 2.63, 3.0.1-3.0.3

[Matt Kettler <mk...@comcast.net>]

Since SOOO many people are still running 2.63, I figured a little reminder 
notice was in order.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

If you are running any of these versions, a remote attacker can DoS your 
spamassassin system by sending you a carefully constructed message with 
some particular malformed mime sections.

If you're on 2.6x and are not ready to go to 3.x, or can't due to perl 
versions, at least upgrade to 2.64 to protect yourself from DoS attacks. 
The upgrade to 2.64 involves no bayes conversion, no added requirements and 
no syntax changes..

The only hitch in upgrading to 2.64 is if you use Mail::SpamCopURI you'll 
have to remove the spamcop_uri.cf file before the upgrade, and re-install 
Mail::SpamCopURI after upgrading SA. (and it's a good opportunity to get 
the latest Mail::SpamCopURI if you don't have that).

If you're ready to take the leap to 3.0.x, or are already on 3.0.x, at this 
time I'd suggest 3.0.4. 3.0.0 is a little rough around the edges, and 
3.0.1-3.0.3 have a different DoS vulnerability.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

When upgrading from 2.6x to 3.0.x be sure to read the Upgrade file first, 
as there are some new prerequisites and some syntax changes:
http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE


I know of no exploitation of either DoS in the wild, but I would suggest 
upgrading before someone figures it out and does start abusing it. (I quite 
frankly am surprised nobody has done so yet.)