RE: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote command execution
MailScanner does not use spamd, but the perl api of spamassassin, so it
is not vulnerable.
Jase
> -----Original Message-----
> From: James Harper [mailto:james.harper@bendigoit.com.au]
> Sent: Tuesday, June 06, 2006 6:19 AM
> To: debian-security@lists.debian.org; Debian Security Announcements
> Subject: RE: [SECURITY] [DSA 1090-1] New spamassassin
> packages fix remote command execution
>
> No mention of if this is exploitable when spamassassin is used by
> MailScanner?
>
> James
>
> > -----Original Message-----
> > From: Martin Schulze [mailto:joey@infodrom.org]
> > Sent: Tuesday, 6 June 2006 19:18
> > To: Debian Security Announcements
> > Subject: [SECURITY] [DSA 1090-1] New spamassassin packages
> fix remote
> > command execution
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > -
> --------------------------------------------------------------
> ----------
> > --
> > Debian Security Advisory DSA 1090-1
> security@debian.org
> > http://www.debian.org/security/ Martin
> Schulze
> > June 6th, 2006
> http://www.debian.org/security/faq
> > -
> --------------------------------------------------------------
> ----------
> > --
> >
> > Package : spamassassin
> > Vulnerability : programming error
> > Problem type : remote
> > Debian-specific: no
> > CVE ID : CVE-2006-2447
> >
> > A vulnerability has been discoverd in SpamAssassin, a
> Perl-based spam
> > filter using text analysis, that can allow remote attackers
> to execute
> > arbitrary commands. This problem only affects systems
> where spamd is
> > reachable via the internet and used with vpopmail virtual users, via
> > the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid"
> > switch which is not the default setting on Debian.
> >
> > The old stable distribution (woody) is not affected by this problem.
> >
> > For the stable distribution (sarge) this problem has been fixed in
> > version 3.0.3-2sarge1.
> >
> > For the volatile archive for the stable distribution (sarge) this
> > problem has been fixed in version 3.1.0a-0volatile3.
> >
> > For the unstable distribution (sid) this problem has been fixed in
> > version 3.1.3-1.
> >
> > We recommend that you upgrade your spamd package.
> >
> >
> > Upgrade Instructions
> > - --------------------
> >
> > wget url
> > will fetch the file for you
> > dpkg -i file.deb
> > will install the referenced file.
> >
> > If you are using the apt-get package manager, use the line for
> > sources.list as given at the end of this advisory:
> >
> > apt-get update
> > will update the internal database
> > apt-get upgrade
> > will install corrected packages
> >
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> >
> >
> > Debian GNU/Linux 3.1 alias sarge
> > - --------------------------------
> >
> > Source archives:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3-2sarge1.dsc
> > Size/MD5 checksum: 788 f9cce6d19fd73d0d62561a14672e9564
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3-2sarge1.diff.gz
> > Size/MD5 checksum: 45414 8804e76766eefa4324509b94dc005afa
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3.orig.tar.gz
> > Size/MD5 checksum: 999558 ca96f23cd1eb7d663ab55db98ef8090c
> >
> > Architecture independent components:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amassassin
> _3
> > .0.3-2sarge1_all.deb
> > Size/MD5 checksum: 769158 c4f10367da201b11d09a1c15da946f3b
> >
> > Alpha architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_alpha.deb
> > Size/MD5 checksum: 61720 3415e7c2962d21b897c6301c8ce88d8c
> >
> > AMD64 architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_amd64.deb
> > Size/MD5 checksum: 59700 4ee41384f107a46440c74bd2c6ff3cd4
> >
> > ARM architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_arm.deb
> > Size/MD5 checksum: 58494 909e85063300d2ddfc38270e19f39b9c
> >
> > Intel IA-32 architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_i386.deb
> > Size/MD5 checksum: 57626 adb71b8190e535646d936333da1180ca
> >
> > Intel IA-64 architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_ia64.deb
> > Size/MD5 checksum: 65166 63435fc25e69eb3dcbdd95b9f682fbe5
> >
> > HP Precision architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_hppa.deb
> > Size/MD5 checksum: 60366 7eb8b16a9701e96f2298cb0506bc2aa9
> >
> > Motorola 680x0 architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_m68k.deb
> > Size/MD5 checksum: 57672 66ca12aa5edec5380b6d8eb959fab045
> >
> > Big endian MIPS architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_mips.deb
> > Size/MD5 checksum: 60362 98cf7bd2a3db3fa65b9f6ded3891a695
> >
> > Little endian MIPS architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_mipsel.deb
> > Size/MD5 checksum: 60354 47bc85b216aad03d54f2a7a342cef760
> >
> > PowerPC architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_powerpc.deb
> > Size/MD5 checksum: 60730 c408427db34e9d38c982190c8e8ff8d5
> >
> > IBM S/390 architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_s390.deb
> > Size/MD5 checksum: 59574 b3fc066015148c10ad11d4055a1a2289
> >
> > Sun Sparc architecture:
> >
> >
> >
> http://security.debian.org/pool/updates/main/s/spamassassin/sp
> amc_3.0.3-
> > 2sarge1_sparc.deb
> > Size/MD5 checksum: 58492 a20e3d4ed9fd9a9d013f380e0f4b3c33
> >
> >
> > These files will probably be moved into the stable distribution on
> > its next update.
> >
> > -
> --------------------------------------------------------------
> ----------
> > ---------
> > For apt-get: deb http://security.debian.org/ stable/updates main
> > For dpkg-ftp: ftp://security.debian.org/debian-security
> > dists/stable/updates/main
> > Mailing list: debian-security-announce@lists.debian.org
> > Package info: `apt-cache show <pkg>' and
> http://packages.debian.org/<pkg>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (GNU/Linux)
> >
> > iD8DBQFEhUg2W5ql+IAeqTIRAqYvAJ9zROIt29/b4xbxABryGPfIyY1LmQCfeVAg
> > HIBRtO9PaYZZAg7rsdQEcJs=
> > =wS/1
> > -----END PGP SIGNATURE-----
> >
> >
> > --
> > To UNSUBSCRIBE, email to
> debian-security-announce-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
>
>
Reply to: