DSA 736-2: New spamassassin packages fix potential DOS
Posted on: 07/08/2005 08:00 AM

New samassassin packages are available for Debian GNU/Linux ARM and HP PA RISC

-------------------------------------------------------------------------
Debian Security Advisory DSA 736-2 security@debian.org
http://www.debian.org/security/ Michael Stone
July 07, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : spamassassin
Vulnerability : mail header parsing error
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-1266
Debian Bug : 314447

A vulnerability was recently found in the way that SpamAssassin parses certain email headers. This vulnerability could cause SpamAssassin to consume a large number of CPU cycles when processing messages containing these headers, leading to a potential denial of service (DOS) attack.

The version of SpamAssassin in the old stable distribution (woody) is not vulnerable.

For the stable distribution (sarge), this problem has been fixed in version 3.0.3-2. Note that packages are not yet ready for certain architectures; these will be released as they become available.

For the unstable distribution (sid), this problem has been fixed in version 3.0.4-1.

The only change since DSA 736-1 is the addition of packages for certain architectures that were not available at the time of the original advisory.

We recommend that you upgrade your sarge or sid spamassassin package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (sarge)
- ------------------

sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Packages were released for all but arm and hppa in DSA 736-1.

arm architecture (ARM)

http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_arm.deb
Size/MD5 checksum: 58362 cf463ef4d601f3f6502f891eef928451

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_hppa.deb
Size/MD5 checksum: 60236 4f6c26a0c8ac1249aa38c17040b18d97



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_736_2_new_spamassassin_packages_fix_potential_dos.html)