RE: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote command execution

To: <debian-security@lists.debian.org>, "Debian Security Announcements" <debian-security-announce@lists.debian.org>
Subject: RE: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote command execution
From: "Desai, Jason" <jase@sensis.com>
Date: Tue, 6 Jun 2006 09:33:08 -0400
Message-id: <[🔎] 1951DC816E1A9F469307B05FA183F43805ACD1@corpatsmail1.corp.sensis.com>
MailScanner does not use spamd, but the perl api of spamassassin, so it
is not vulnerable. 

Jase

> -----Original Message-----
> From: James Harper [mailto:james.harper@bendigoit.com.au] 
> Sent: Tuesday, June 06, 2006 6:19 AM
> To: debian-security@lists.debian.org; Debian Security Announcements
> Subject: RE: [SECURITY] [DSA 1090-1] New spamassassin 
> packages fix remote command execution
> 
> No mention of if this is exploitable when spamassassin is used by
> MailScanner?
> 
> James
> 
> > -----Original Message-----
> > From: Martin Schulze [mailto:joey@infodrom.org]
> > Sent: Tuesday, 6 June 2006 19:18
> > To: Debian Security Announcements
> > Subject: [SECURITY] [DSA 1090-1] New spamassassin packages 
> fix remote
> > command execution
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > -
> --------------------------------------------------------------
> ----------
> > --
> > Debian Security Advisory DSA 1090-1
> security@debian.org
> > http://www.debian.org/security/                             Martin
> Schulze
> > June 6th, 2006
> http://www.debian.org/security/faq
> > -
> --------------------------------------------------------------
> ----------
> > --
> > 
> > Package        : spamassassin
> > Vulnerability  : programming error
> > Problem type   : remote
> > Debian-specific: no
> > CVE ID         : CVE-2006-2447
> > 
> > A vulnerability has been discoverd in SpamAssassin, a 
> Perl-based spam
> > filter using text analysis, that can allow remote attackers 
> to execute
> > arbitrary commands.  This problem only affects systems 
> where spamd is
> > reachable via the internet and used with vpopmail virtual users, via
> > the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid"
> > switch which is not the default setting on Debian.
> > 
> > The old stable distribution (woody) is not affected by this problem.
> > 
> > For the stable distribution (sarge) this problem has been fixed in
> > version 3.0.3-2sarge1.
> > 
> > For the volatile archive for the stable distribution (sarge) this
> > problem has been fixed in version 3.1.0a-0volatile3.
> > 
> > For the unstable distribution (sid) this problem has been fixed in
> > version 3.1.3-1.
> > 
> > We recommend that you upgrade your spamd package.
> > 
> > 
> > Upgrade Instructions
> > - --------------------
> > 
> > wget url
> >         will fetch the file for you
> > dpkg -i file.deb
> >         will install the referenced file.
> > 
> > If you are using the apt-get package manager, use the line for
> > sources.list as given at the end of this advisory:
> > 
> > apt-get update
> >         will update the internal database
> > apt-get upgrade
> >         will install corrected packages
> > 
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> > 
> > 
> > Debian GNU/Linux 3.1 alias sarge
> > - --------------------------------
> > 
> >   Source archives:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3-2sarge1.dsc
> >       Size/MD5 checksum:      788 f9cce6d19fd73d0d62561a14672e9564
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3-2sarge1.diff.gz
> >       Size/MD5 checksum:    45414 8804e76766eefa4324509b94dc005afa
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3.orig.tar.gz
> >       Size/MD5 checksum:   999558 ca96f23cd1eb7d663ab55db98ef8090c
> > 
> >   Architecture independent components:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3-2sarge1_all.deb
> >       Size/MD5 checksum:   769158 c4f10367da201b11d09a1c15da946f3b
> > 
> >   Alpha architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_alpha.deb
> >       Size/MD5 checksum:    61720 3415e7c2962d21b897c6301c8ce88d8c
> > 
> >   AMD64 architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_amd64.deb
> >       Size/MD5 checksum:    59700 4ee41384f107a46440c74bd2c6ff3cd4
> > 
> >   ARM architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_arm.deb
> >       Size/MD5 checksum:    58494 909e85063300d2ddfc38270e19f39b9c
> > 
> >   Intel IA-32 architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_i386.deb
> >       Size/MD5 checksum:    57626 adb71b8190e535646d936333da1180ca
> > 
> >   Intel IA-64 architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_ia64.deb
> >       Size/MD5 checksum:    65166 63435fc25e69eb3dcbdd95b9f682fbe5
> > 
> >   HP Precision architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_hppa.deb
> >       Size/MD5 checksum:    60366 7eb8b16a9701e96f2298cb0506bc2aa9
> > 
> >   Motorola 680x0 architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_m68k.deb
> >       Size/MD5 checksum:    57672 66ca12aa5edec5380b6d8eb959fab045
> > 
> >   Big endian MIPS architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_mips.deb
> >       Size/MD5 checksum:    60362 98cf7bd2a3db3fa65b9f6ded3891a695
> > 
> >   Little endian MIPS architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_mipsel.deb
> >       Size/MD5 checksum:    60354 47bc85b216aad03d54f2a7a342cef760
> > 
> >   PowerPC architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_powerpc.deb
> >       Size/MD5 checksum:    60730 c408427db34e9d38c982190c8e8ff8d5
> > 
> >   IBM S/390 architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_s390.deb
> >       Size/MD5 checksum:    59574 b3fc066015148c10ad11d4055a1a2289
> > 
> >   Sun Sparc architecture:
> > 
> > 
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_sparc.deb
> >       Size/MD5 checksum:    58492 a20e3d4ed9fd9a9d013f380e0f4b3c33
> > 
> > 
> >   These files will probably be moved into the stable distribution on
> >   its next update.
> > 
> > -
> --------------------------------------------------------------
> ----------
> > ---------
> > For apt-get: deb http://security.debian.org/ stable/updates main
> > For dpkg-ftp: ftp://security.debian.org/debian-security
> > dists/stable/updates/main
> > Mailing list: debian-security-announce@lists.debian.org
> > Package info: `apt-cache show <pkg>' and
> http://packages.debian.org/<pkg>
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (GNU/Linux)
> > 
> > iD8DBQFEhUg2W5ql+IAeqTIRAqYvAJ9zROIt29/b4xbxABryGPfIyY1LmQCfeVAg
> > HIBRtO9PaYZZAg7rsdQEcJs=
> > =wS/1
> > -----END PGP SIGNATURE-----
> > 
> > 
> > --
> > To UNSUBSCRIBE, email to
> debian-security-announce-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> 
>
Reply to:
Prev by Date: Re: PHP Warning: mime_magic:
Next by Date: Target filesystem
Previous by thread: RE: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote command execution
Next by thread: PHP Warning: mime_magic:
Index(es):
- Date
- Thread