You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt Kettler <mk...@evi-inc.com> on 2006/04/13 20:45:48 UTC
Re:
Daniel Madaoui wrote:
<snip>
> So I restart the spamd daemon whith this options
>
> /usr/local/bin/spamd -d -m10 -u spamassassin ( spamassassin in an user
> with its directory /home/spamassassin/.spamassassin )
>
> He try to use the .spamassassin directory who belong to root
> (/root/.spamssassin/ )
Known bug, fixed in SA 3.1.0 and higher.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3900
Also be aware that unless your source has back ported fixes, SA 3.0.3 is
vulnerable to a two different DoS attacks triggered by sending it a specially
crafted messages.
3.0.4, possibly older versions: "many to: headers" DoS vulnerability
http://secunia.com/advisories/17386/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351
3.0.1-3.0.3: malformed message with long headers DoS
http://secunia.com/advisories/15704/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
Re: Re:
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Apr 14, 2006 at 12:36:40PM +0200, Daniel Madaoui wrote:
> >>/usr/local/bin/spamd -d -m10 -u spamassassin ( spamassassin in an
> >>user with its directory /home/spamassassin/.spamassassin )
> >>He try to use the .spamassassin directory who belong to root
> >>(/root/.spamssassin/ )
> I installed the version 3.1.1 but I've got the same comportement. It
> 's not use the /home/spamassassin/.spamassassin directory for bayes
> and auto-whitelist
Just because you used "-u spamassassin" doesn't mean that all access
will be to the spamassassin user's home directory. Unless you disable
per-user configs and/or configure paths for things like bayes, etc, to
be in a publically accessible location, SpamAssassin will still try to
access the calling user's home directory (which will very likely fail
since you're running spamd -u).
--
Randomly Generated Tagline:
If your happy and you know it clap your hams.
Re: Re:
Posted by Daniel Madaoui <da...@logilune.com>.
Le 13 avr. 06 à 20:45, Matt Kettler a écrit :
> Daniel Madaoui wrote:
> <snip>
>> So I restart the spamd daemon whith this options
>>
>> /usr/local/bin/spamd -d -m10 -u spamassassin ( spamassassin in an
>> user
>> with its directory /home/spamassassin/.spamassassin )
>>
>> He try to use the .spamassassin directory who belong to root
>> (/root/.spamssassin/ )
>
> Known bug, fixed in SA 3.1.0 and higher.
I installed the version 3.1.1 but I've got the same comportement. It
's not use the /home/spamassassin/.spamassassin directory for bayes
and auto-whitelist
>
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3900
>
> Also be aware that unless your source has back ported fixes, SA
> 3.0.3 is
> vulnerable to a two different DoS attacks triggered by sending it a
> specially
> crafted messages.
>
> 3.0.4, possibly older versions: "many to: headers" DoS vulnerability
> http://secunia.com/advisories/17386/
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351
>
> 3.0.1-3.0.3: malformed message with long headers DoS
> http://secunia.com/advisories/15704/
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266