You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt Kettler <mk...@comcast.net> on 2005/07/02 18:13:00 UTC
reminder: remote DoS vulnerability for those 2.50 through
2.63, 3.0.1-3.0.3
Since SOOO many people are still running 2.63, I figured a little reminder
notice was in order.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796
If you are running any of these versions, a remote attacker can DoS your
spamassassin system by sending you a carefully constructed message with
some particular malformed mime sections.
If you're on 2.6x and are not ready to go to 3.x, or can't due to perl
versions, at least upgrade to 2.64 to protect yourself from DoS attacks.
The upgrade to 2.64 involves no bayes conversion, no added requirements and
no syntax changes..
The only hitch in upgrading to 2.64 is if you use Mail::SpamCopURI you'll
have to remove the spamcop_uri.cf file before the upgrade, and re-install
Mail::SpamCopURI after upgrading SA. (and it's a good opportunity to get
the latest Mail::SpamCopURI if you don't have that).
If you're ready to take the leap to 3.0.x, or are already on 3.0.x, at this
time I'd suggest 3.0.4. 3.0.0 is a little rough around the edges, and
3.0.1-3.0.3 have a different DoS vulnerability.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
When upgrading from 2.6x to 3.0.x be sure to read the Upgrade file first,
as there are some new prerequisites and some syntax changes:
http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE
I know of no exploitation of either DoS in the wild, but I would suggest
upgrading before someone figures it out and does start abusing it. (I quite
frankly am surprised nobody has done so yet.)