Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3

[Daniel Quinlan <qu...@pathname.com>]

Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  The
vulnerability allows certain misformatted long message headers to cause
spam checking to take a very long time.

While the exploit has yet to be seen in the wild, we are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.0.4 as soon as possible.

This issue has been assigned CVE id CAN-2005-1266 [1].

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org.  For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[0]: http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/%3c20050606223631.GG11538@kluge.net%3e

[1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

Re: Upgrade/install over earlier version

[Kai Schaetzl <ma...@conactive.com>]

Dr Robert Young wrote on Wed, 15 Jun 2005 17:39:04 -0400:

> Should the new version 
> go "on top" of the older one, or as a separate product install? Any 
> issues one should be aware of?

You can just upgrade. But read the upgrade instructions, several options 
have been removed/added. Also, there were problems with spamd, because of 
the pre-forking spamd starts up more instances and uses more ressources. I 
don't know if they have been resolved yet, I haven't upgraded our spamd 
installations because of this, only the MailScanner installations.  There 
were also reports about failing Bayes db conversions. We didn't have a 
problem with that. I recommend checking this mailing list for older 
postings about upgrades.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Upgrade/install over earlier version

[Matt Kettler <mk...@comcast.net>]

At 05:39 PM 6/15/2005, Dr Robert Young wrote:
>Does anyone have information on the installation/upgrade of V3 of 
>Spamassassin, on a system already running  V2?  Should the new version go 
>"on top" of the older one, or as a separate product install?

Yep. Just install directly on top of the old one.

>  Any issues one should be aware of?

There are some config options, and SA 3.0.0 requires perl 5.6.1 or higher. 
SA 2.6x would run on perl 5.005.

See the UPGRADE document in the tarball for more details.

Theres a version on the website too, but be sure to quickly check the one 
in the tarball before installing.

http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE


And the wiki:

http://wiki.apache.org/spamassassin/UpgradeTo300

Re: Upgrade/install over earlier version

[Rakesh <ra...@netcore.co.in>]

Dr Robert Young wrote:

> Does anyone have information on the installation/upgrade of V3 of 
> Spamassassin, on a system already running  V2?  Should the new version 
> go "on top" of the older one, or as a separate product install? Any 
> issues one should be aware of?
>
> I am installing on RedHat 6.2 and using a fairly recent version (last 
> 2 yrs) of sendmail (I'll have to look it up for the precise version if 
> that matters).
>
http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE

Rakesh

----------------------------------------------------------
Netcore Solutions Pvt. Ltd.
Website:  http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
----------------------------------------------------------

Upgrade/install over earlier version

[Dr Robert Young <rc...@aliconsultants.com>]

Does anyone have information on the installation/upgrade of V3 of 
Spamassassin, on a system already running  V2?  Should the new version 
go "on top" of the older one, or as a separate product install? Any 
issues one should be aware of?

I am installing on RedHat 6.2 and using a fairly recent version (last 2 
yrs) of sendmail (I'll have to look it up for the precise version if 
that matters).