New spamassassin packages fix remote command execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 16-1 http://volatile.debian.net
debian-volatile@lists.debian.org Andreas Barth
June 6th, 2006
- ---------------------------------------------------------------------------
Package : spamassassin
Version : 3.1.0a-0volatile3
Importance : medium
CVE IDs : CVE-2006-2447
A remote code execution vulnerability was found if spamd is run with the
"--vpopmail" and "-P" options. If either/both of those options are not
used, there is no vulnerability.
For sarge, an updated spamassassin package is available in sarge/volatile-sloppy
as version 3.1.0a-0volatile3.
Upgrade Instructions
- --------------------
You can get the updated packages at
http://volatile.debian.net/debian-volatile/pool/volatile/main/s/spamassassin/
and install them with dpkg, or add
deb http://volatile.debian.net/debian-volatile sarge/volatile-sloppy main
deb-src http://volatile.debian.net/debian-volatile sarge/volatile-sloppy main
to your /etc/apt/sources.list. You can also use any of our mirrors.
In addition, you need to pin spamassassin and/or spamc in /etc/apt/preferences
(unless that has already happened before):
Package: spamassassin
Pin: release a=sarge-sloppy, version 3.1.0a*
Pin-Priority: 500
Package: spamc
Pin: release a=sarge-sloppy, version 3.1.0a*
Pin-Priority: 500
Please see http://www.debian.org/devel/debian-volatile/volatile-mirrors for
the full list of mirrors. The archive signing key can be downloaded from
http://volatile.debian.net/ziyi-sarge.asc
For further information about debian-volatile, please refer to
http://volatile.debian.net/.
If there are any issues, please don't hesitate to get in touch with the
volatile team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEhU9vmdOZoew2oYURAkhOAJ9HJYflRhjrKNlO9LKkBslNoRW+NwCglj6g
tdhfu6O6tus55/PcBChCpog=
=8uRu
-----END PGP SIGNATURE-----
Reply to: