You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matt Kettler <mk...@evi-inc.com> on 2006/04/13 20:45:48 UTC

Re:

Daniel Madaoui wrote:
<snip>
> So I restart the spamd daemon whith this options
> 
> /usr/local/bin/spamd -d -m10  -u spamassassin ( spamassassin in an user
> with its directory /home/spamassassin/.spamassassin )
> 
> He try to use the .spamassassin directory who belong to root
> (/root/.spamssassin/ )

Known bug, fixed in SA 3.1.0 and higher.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3900

Also be aware that unless your source has back ported fixes, SA 3.0.3 is
vulnerable to a two different DoS attacks triggered by sending it a specially
crafted messages.

3.0.4, possibly older versions: "many to: headers" DoS vulnerability
	http://secunia.com/advisories/17386/
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351

3.0.1-3.0.3: malformed message with long headers DoS
	http://secunia.com/advisories/15704/
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

Re: Re:

Posted by Theo Van Dinter <fe...@apache.org>.

On Fri, Apr 14, 2006 at 12:36:40PM +0200, Daniel Madaoui wrote:
> >>/usr/local/bin/spamd -d -m10  -u spamassassin ( spamassassin in an  
> >>user with its directory /home/spamassassin/.spamassassin )
> >>He try to use the .spamassassin directory who belong to root
> >>(/root/.spamssassin/ )
> I installed the version 3.1.1 but I've got the same comportement. It  
> 's not use the /home/spamassassin/.spamassassin directory for bayes  
> and auto-whitelist

Just because you used "-u spamassassin" doesn't mean that all access
will be to the spamassassin user's home directory.  Unless you disable
per-user configs and/or configure paths for things like bayes, etc, to
be in a publically accessible location, SpamAssassin will still try to
access the calling user's home directory (which will very likely fail
since you're running spamd -u).

-- 
Randomly Generated Tagline:
If your happy and you know it clap your hams.

Re: Re:

Posted by Daniel Madaoui <da...@logilune.com>.

Le 13 avr. 06 à 20:45, Matt Kettler a écrit :

> Daniel Madaoui wrote:
> <snip>
>> So I restart the spamd daemon whith this options
>>
>> /usr/local/bin/spamd -d -m10  -u spamassassin ( spamassassin in an  
>> user
>> with its directory /home/spamassassin/.spamassassin )
>>
>> He try to use the .spamassassin directory who belong to root
>> (/root/.spamssassin/ )
>
> Known bug, fixed in SA 3.1.0 and higher.

I installed the version 3.1.1 but I've got the same comportement. It  
's not use the /home/spamassassin/.spamassassin directory for bayes  
and auto-whitelist

>
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3900
>
> Also be aware that unless your source has back ported fixes, SA  
> 3.0.3 is
> vulnerable to a two different DoS attacks triggered by sending it a  
> specially
> crafted messages.
>
> 3.0.4, possibly older versions: "many to: headers" DoS vulnerability
> 	http://secunia.com/advisories/17386/
> 	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351
>
> 3.0.1-3.0.3: malformed message with long headers DoS
> 	http://secunia.com/advisories/15704/
> 	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266