[Security Announce] [ MDKSA-2007:049 ] - Updated spamassassin packages fix DoS vulnerability
Posted on: 02/24/2007 12:35 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:049
http://www.mandriva.com/security/
_______________________________________________________________________

Package : spamassassin
Date : February 23, 2007
Affected: 2007.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

A bug in the way that SpamAssassin processes HTML emails containing
URIs was discovered in versions 3.1.x. A carefully crafted mail
message could make SpamAssassin consume significant amounts of CPU
resources that could delay or prevent the delivery of mail if a
number of these messages were sent at once.

SpamAssassin has been upgraded to version 3.1.8 to correct this
problem, and other upstream bugs. In addition, an invalid path setting
in local.cf for the auto_whitelist_path has been fixed for Mandriva
2007.0.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0451
http://qa.mandriva.com/show_bug.cgi?id'424
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
d650293a8726a25c4fd3fac01058f758 2007.0/i586/perl-Mail-SpamAssassin-3.1.8-0.1mdv2007.0.i586.rpm
721c1aeebf3bf0eda9e82f165cebcd7b 2007.0/i586/spamassassin-3.1.8-0.1mdv2007.0.i586.rpm
bb191e955876ae1cd3a39a694f5c6259 2007.0/i586/spamassassin-spamc-3.1.8-0.1mdv2007.0.i586.rpm
845c7c94d98f06bdcc2949ea2cf3272b 2007.0/i586/spamassassin-spamd-3.1.8-0.1mdv2007.0.i586.rpm
730d7cb8c61a3c40149ffdabb3a2a039 2007.0/i586/spamassassin-tools-3.1.8-0.1mdv2007.0.i586.rpm
ad0a0132bf2cea709038ae72af5ad72b 2007.0/SRPMS/spamassassin-3.1.8-0.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
74e606f97f5d341eaaa7f1fae29af965 2007.0/x86_64/perl-Mail-SpamAssassin-3.1.8-0.1mdv2007.0.x86_64.rpm
b75394411af4c61a6e273ae0bfdd0cdb 2007.0/x86_64/spamassassin-3.1.8-0.1mdv2007.0.x86_64.rpm
841dbbe7e13527bbed478c4ee1673824 2007.0/x86_64/spamassassin-spamc-3.1.8-0.1mdv2007.0.x86_64.rpm
b0033170128717b308172d1be62d2fea 2007.0/x86_64/spamassassin-spamd-3.1.8-0.1mdv2007.0.x86_64.rpm
8cda04c353a295fe889b0373dd70c657 2007.0/x86_64/spamassassin-tools-3.1.8-0.1mdv2007.0.x86_64.rpm
ad0a0132bf2cea709038ae72af5ad72b 2007.0/SRPMS/spamassassin-3.1.8-0.1mdv2007.0.src.rpm

Corporate 4.0:
1cacb51bf040c259c069fa608e0e2c49 corporate/4.0/i586/perl-Mail-SpamAssassin-3.1.8-0.1.20060mlcs4.i586.rpm
f05942822badb56e42aa93f0b5717a58 corporate/4.0/i586/spamassassin-3.1.8-0.1.20060mlcs4.i586.rpm
8a70c211b6b9f900aeadcb701a82de08 corporate/4.0/i586/spamassassin-spamc-3.1.8-0.1.20060mlcs4.i586.rpm
cf64b92a8f7bf9e10f82e6ae5ff83d94 corporate/4.0/i586/spamassassin-spamd-3.1.8-0.1.20060mlcs4.i586.rpm
f58b265feb70a6129bb747e52d9b968e corporate/4.0/i586/spamassassin-tools-3.1.8-0.1.20060mlcs4.i586.rpm
663e6ce1d90085aea5840934b742641b corporate/4.0/SRPMS/spamassassin-3.1.8-0.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
69f4a1ef34a46eaf071d157dab7a19a1 corporate/4.0/x86_64/perl-Mail-SpamAssassin-3.1.8-0.1.20060mlcs4.x86_64.rpm
f18bd5698dfc5342984b6f2d0d15606f corporate/4.0/x86_64/spamassassin-3.1.8-0.1.20060mlcs4.x86_64.rpm
87b7259668e39af9187acd29cd59a872 corporate/4.0/x86_64/spamassassin-spamc-3.1.8-0.1.20060mlcs4.x86_64.rpm
533fee6c7f174f9964584864d6da08e7 corporate/4.0/x86_64/spamassassin-spamd-3.1.8-0.1.20060mlcs4.x86_64.rpm
7a0df8727eb4f3024325995b920b47a7 corporate/4.0/x86_64/spamassassin-tools-3.1.8-0.1.20060mlcs4.x86_64.rpm
663e6ce1d90085aea5840934b742641b corporate/4.0/SRPMS/spamassassin-3.1.8-0.1.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF30eemqjQ0CJFipgRAtogAKDGcmYv5ExJQdbQp8BIbj6Nst3cUQCgytlu
z4crGBL8AKM8dTZU0ps/Sy8=
=uiOS
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007049__updated_spamassassin_packages_fix_dos_vulnerability.html)