svn commit: r510142 - /spamassassin/site/advisories/cve-2007-0451.txt

[jm...@apache.org]

Author: jm
Date: Wed Feb 21 10:49:42 2007
New Revision: 510142

URL: http://svn.apache.org/viewvc?view=rev&rev=510142
Log:
added CVE

Added:
    spamassassin/site/advisories/cve-2007-0451.txt

Added: spamassassin/site/advisories/cve-2007-0451.txt
URL: http://svn.apache.org/viewvc/spamassassin/site/advisories/cve-2007-0451.txt?view=auto&rev=510142
==============================================================================
--- spamassassin/site/advisories/cve-2007-0451.txt (added)
+++ spamassassin/site/advisories/cve-2007-0451.txt Wed Feb 21 10:49:42 2007
@@ -0,0 +1,26 @@
+CVE reference:  CVE-2007-0451
+
+Description:
+
+This is a heads-up on a denial-of-service vulnerability in Apache
+SpamAssassin, affecting versions 3.1.0 upwards. Versions before 3.1.0 are
+not affected.
+
+It has been assigned CVE-2007-0451, or bug 5318 in the SpamAssassin
+bugzilla.
+
+The vulnerability is caused by overly long URLs found in malformed HTML in
+a scanned mail message.  Processing of this message takes a long time and
+causes massive memory usage, which could cause a Denial of Service due to
+memory exhaustion or increased swapping, depending on the setup of the
+scanning machine and its resilience to OOM conditions.
+
+Fix: Fixed packages have been released as version 3.1.8.
+
+Further info: mail <security at SpamAssassin.apache.org>
+Announced: Feb 13 2007
+Corrected: Feb 13 2007
+Affects: all versions before the correction date, after and including 3.1.0
+Credit: discovery of this vulnerability credited to Steve Halligan
+        <shalligan at 333tech.com>.
+