Debian Bug report logs -
#410843
spamassassin: URI parsing causes local DoS
Reported by: Micah Anderson <micah@debian.org>
Date: Tue, 13 Feb 2007 20:18:09 UTC
Severity: serious
Tags: patch, security
Found in versions spamassassin/3.1.7-1, 3.1.4-0volatile1
Fixed in versions spamassassin/3.1.7-2, spamassassin/3.1.4-0volatile2
Done: Martin Zobel-Helas <zobel@ftbfs.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Duncan Findlay <duncf@debian.org>
:
Bug#410843
; Package spamassassin
.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Duncan Findlay <duncf@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: spamassassin
Version: 3.1.7-1
Severity: important
Tags: security patch
There is a DoS in apparantly all versions of spamassassin prior to
3.1.8 (which is not released yet). The details of this are obtained
through this bugzilla log:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5318
As well as a patch to fix the issue for 3.1.8. This will likely require
a backported fix for sarge.
CVE id to be assigned shortly.
Micah
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-vserver-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages spamassassin depends on:
ii libdigest-sha1-perl 2.11-2 NIST SHA-1 message digest algorith
ii libhtml-parser-perl 3.56-1 A collection of modules that parse
ii libnet-dns-perl 0.59-1 Perform DNS queries from a Perl sc
pn libsocket6-perl <none> (no description available)
ii perl 5.8.8-7 Larry Wall's Practical Extraction
Versions of packages spamassassin recommends:
pn libmail-spf-query-perl <none> (no description available)
ii perl [libmime-base64-perl] 5.8.8-7 Larry Wall's Practical Extraction
pn spamc <none> (no description available)
Information forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>
:
Bug#410843
; Package spamassassin
.
(full text, mbox, link).
Acknowledgement sent to Mark J Cox <mjc@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Duncan Findlay <duncf@debian.org>
.
(full text, mbox, link).
Message #10 received at 410843@bugs.debian.org (full text, mbox, reply):
This is CVE-2007-0451
Severity set to `serious' from `important'
Request was from Duncan Findlay <duncf@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Duncan Findlay <duncf@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 410843-close@bugs.debian.org (full text, mbox, reply):
Source: spamassassin
Source-Version: 3.1.7-2
We believe that the bug you reported is fixed in the latest version of
spamassassin, which is due to be installed in the Debian FTP archive:
spamassassin_3.1.7-2.diff.gz
to pool/main/s/spamassassin/spamassassin_3.1.7-2.diff.gz
spamassassin_3.1.7-2.dsc
to pool/main/s/spamassassin/spamassassin_3.1.7-2.dsc
spamassassin_3.1.7-2_all.deb
to pool/main/s/spamassassin/spamassassin_3.1.7-2_all.deb
spamc_3.1.7-2_i386.deb
to pool/main/s/spamassassin/spamc_3.1.7-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 410843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Duncan Findlay <duncf@debian.org> (supplier of updated spamassassin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 14 Feb 2007 21:46:52 -0500
Source: spamassassin
Binary: spamassassin spamc
Architecture: source all i386
Version: 3.1.7-2
Distribution: unstable
Urgency: high
Maintainer: Duncan Findlay <duncf@debian.org>
Changed-By: Duncan Findlay <duncf@debian.org>
Description:
spamassassin - Perl-based spam filter using text analysis
spamc - Client for SpamAssassin spam filtering daemon
Closes: 410843
Changes:
spamassassin (3.1.7-2) unstable; urgency=high
.
* Security fixes backported from 3.1.8:
- CVE-2007-0451: potential DoS with long URIs found in the message
content (Closes: #410843)
- Prevents perl code from being loaded via sa-update by default
(override with --allowplugins) (SpamAssassin bug 5240)
Files:
a28f5809ec45cec91bf1e8617782ab82 738 mail optional spamassassin_3.1.7-2.dsc
70f3d69e81dd5f7e6ecd819709565103 30993 mail optional spamassassin_3.1.7-2.diff.gz
e154445c3a04bb4b7da52088c3c2dfa4 973862 mail optional spamassassin_3.1.7-2_all.deb
4aa3fc65789fd755e223666a475869b8 75246 mail optional spamc_3.1.7-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF0++wqjUzNGvmnNARAnNRAJ9EFQu/jIL7GYuiC4oaz74bbfw1SwCglUlX
urP3aAIg57F9ITMUKsrlhhA=
=IzT9
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>
:
Bug#410843
; Package spamassassin
.
(full text, mbox, link).
Acknowledgement sent to intrigeri <intrigeri@boum.org>
:
Extra info received and forwarded to list. Copy sent to Duncan Findlay <duncf@debian.org>
.
(full text, mbox, link).
Message #22 received at 410843@bugs.debian.org (full text, mbox, reply):
Hello,
Duncan Findlay wrote (15 Feb 2007 05:47:03 GMT) :
> Source: spamassassin
> Source-Version: 3.1.7-2
> We believe that the bug you reported is fixed in the latest version of
> spamassassin, which is due to be installed in the Debian FTP archive:
Are there plans to prepare sarge packages backporting the security fix ?
Ciao,
--
intrigeri <intrigeri@boum.org>
| gnupg key @ http://intrigeri.boum.org/intrigeri.asc
| The impossible just takes a bit longer.
Bug marked as found in version 3.1.4-0volatile1.
Request was from Martin Zobel-Helas <zobel@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Martin Zobel-Helas <zobel@ftbfs.de>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 410843-close@bugs.debian.org (full text, mbox, reply):
Source: spamassassin
Source-Version: 3.1.4-0volatile2
It will be fixed in debian-volatile with version 3.1.4-0volatile2 and
[VUA 26-1].
Greetings
Martin
--
[root@debian /root]# man real-life
No manual entry for real-life
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 10:00:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:15:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.