You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Daniel Quinlan <qu...@pathname.com> on 2005/06/15 22:00:46 UTC
Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3
Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The
vulnerability allows certain misformatted long message headers to cause
spam checking to take a very long time.
While the exploit has yet to be seen in the wild, we are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.0.4 as soon as possible.
This issue has been assigned CVE id CAN-2005-1266 [1].
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[0]: http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/%3c20050606223631.GG11538@kluge.net%3e
[1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
Re: Upgrade/install over earlier version
Posted by Kai Schaetzl <ma...@conactive.com>.
Dr Robert Young wrote on Wed, 15 Jun 2005 17:39:04 -0400:
> Should the new version
> go "on top" of the older one, or as a separate product install? Any
> issues one should be aware of?
You can just upgrade. But read the upgrade instructions, several options
have been removed/added. Also, there were problems with spamd, because of
the pre-forking spamd starts up more instances and uses more ressources. I
don't know if they have been resolved yet, I haven't upgraded our spamd
installations because of this, only the MailScanner installations. There
were also reports about failing Bayes db conversions. We didn't have a
problem with that. I recommend checking this mailing list for older
postings about upgrades.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: Upgrade/install over earlier version
Posted by Matt Kettler <mk...@comcast.net>.
At 05:39 PM 6/15/2005, Dr Robert Young wrote:
>Does anyone have information on the installation/upgrade of V3 of
>Spamassassin, on a system already running V2? Should the new version go
>"on top" of the older one, or as a separate product install?
Yep. Just install directly on top of the old one.
> Any issues one should be aware of?
There are some config options, and SA 3.0.0 requires perl 5.6.1 or higher.
SA 2.6x would run on perl 5.005.
See the UPGRADE document in the tarball for more details.
Theres a version on the website too, but be sure to quickly check the one
in the tarball before installing.
http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE
And the wiki:
http://wiki.apache.org/spamassassin/UpgradeTo300
Re: Upgrade/install over earlier version
Posted by Rakesh <ra...@netcore.co.in>.
Dr Robert Young wrote:
> Does anyone have information on the installation/upgrade of V3 of
> Spamassassin, on a system already running V2? Should the new version
> go "on top" of the older one, or as a separate product install? Any
> issues one should be aware of?
>
> I am installing on RedHat 6.2 and using a fairly recent version (last
> 2 yrs) of sendmail (I'll have to look it up for the precise version if
> that matters).
>
http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE
Rakesh
----------------------------------------------------------
Netcore Solutions Pvt. Ltd.
Website: http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
----------------------------------------------------------
Upgrade/install over earlier version
Posted by Dr Robert Young <rc...@aliconsultants.com>.
Does anyone have information on the installation/upgrade of V3 of
Spamassassin, on a system already running V2? Should the new version
go "on top" of the older one, or as a separate product install? Any
issues one should be aware of?
I am installing on RedHat 6.2 and using a fairly recent version (last 2
yrs) of sendmail (I'll have to look it up for the precise version if
that matters).