RE: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote command execution
No mention of if this is exploitable when spamassassin is used by
MailScanner?
James
> -----Original Message-----
> From: Martin Schulze [mailto:joey@infodrom.org]
> Sent: Tuesday, 6 June 2006 19:18
> To: Debian Security Announcements
> Subject: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote
> command execution
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
------------------------------------------------------------------------
> --
> Debian Security Advisory DSA 1090-1
security@debian.org
> http://www.debian.org/security/ Martin
Schulze
> June 6th, 2006
http://www.debian.org/security/faq
> -
------------------------------------------------------------------------
> --
>
> Package : spamassassin
> Vulnerability : programming error
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2006-2447
>
> A vulnerability has been discoverd in SpamAssassin, a Perl-based spam
> filter using text analysis, that can allow remote attackers to execute
> arbitrary commands. This problem only affects systems where spamd is
> reachable via the internet and used with vpopmail virtual users, via
> the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid"
> switch which is not the default setting on Debian.
>
> The old stable distribution (woody) is not affected by this problem.
>
> For the stable distribution (sarge) this problem has been fixed in
> version 3.0.3-2sarge1.
>
> For the volatile archive for the stable distribution (sarge) this
> problem has been fixed in version 3.1.0a-0volatile3.
>
> For the unstable distribution (sid) this problem has been fixed in
> version 3.1.3-1.
>
> We recommend that you upgrade your spamd package.
>
>
> Upgrade Instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given at the end of this advisory:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 3.1 alias sarge
> - --------------------------------
>
> Source archives:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin
_3
> .0.3-2sarge1.dsc
> Size/MD5 checksum: 788 f9cce6d19fd73d0d62561a14672e9564
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin
_3
> .0.3-2sarge1.diff.gz
> Size/MD5 checksum: 45414 8804e76766eefa4324509b94dc005afa
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin
_3
> .0.3.orig.tar.gz
> Size/MD5 checksum: 999558 ca96f23cd1eb7d663ab55db98ef8090c
>
> Architecture independent components:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin
_3
> .0.3-2sarge1_all.deb
> Size/MD5 checksum: 769158 c4f10367da201b11d09a1c15da946f3b
>
> Alpha architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_alpha.deb
> Size/MD5 checksum: 61720 3415e7c2962d21b897c6301c8ce88d8c
>
> AMD64 architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_amd64.deb
> Size/MD5 checksum: 59700 4ee41384f107a46440c74bd2c6ff3cd4
>
> ARM architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_arm.deb
> Size/MD5 checksum: 58494 909e85063300d2ddfc38270e19f39b9c
>
> Intel IA-32 architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_i386.deb
> Size/MD5 checksum: 57626 adb71b8190e535646d936333da1180ca
>
> Intel IA-64 architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_ia64.deb
> Size/MD5 checksum: 65166 63435fc25e69eb3dcbdd95b9f682fbe5
>
> HP Precision architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_hppa.deb
> Size/MD5 checksum: 60366 7eb8b16a9701e96f2298cb0506bc2aa9
>
> Motorola 680x0 architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_m68k.deb
> Size/MD5 checksum: 57672 66ca12aa5edec5380b6d8eb959fab045
>
> Big endian MIPS architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_mips.deb
> Size/MD5 checksum: 60362 98cf7bd2a3db3fa65b9f6ded3891a695
>
> Little endian MIPS architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_mipsel.deb
> Size/MD5 checksum: 60354 47bc85b216aad03d54f2a7a342cef760
>
> PowerPC architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_powerpc.deb
> Size/MD5 checksum: 60730 c408427db34e9d38c982190c8e8ff8d5
>
> IBM S/390 architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_s390.deb
> Size/MD5 checksum: 59574 b3fc066015148c10ad11d4055a1a2289
>
> Sun Sparc architecture:
>
>
>
http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-
> 2sarge1_sparc.deb
> Size/MD5 checksum: 58492 a20e3d4ed9fd9a9d013f380e0f4b3c33
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> -
------------------------------------------------------------------------
> ---------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security
> dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and
http://packages.debian.org/<pkg>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEhUg2W5ql+IAeqTIRAqYvAJ9zROIt29/b4xbxABryGPfIyY1LmQCfeVAg
> HIBRtO9PaYZZAg7rsdQEcJs=
> =wS/1
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to
debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
Reply to: