Bug 129284
| Summary: | CAN-2004-0796 DOS attack open to certain malformed messages | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | Michael Metz <metz> |
| Component: | spamassassin | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | fc2 | CC: | bressers, mattdm, pekkas, redhat-bugzilla, reg+redhat, sheltren |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | LEGACY, 2 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-08-10 23:48:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This issue should also affect FC1. BTW, the path from Source0 in the spec file also should be also updated, the tar.bz2 is located in another location as it was at times of for e.g. 2.63-8... [Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.] Looks like bug #152851 was just done for this for earlier Fedora Legacy-supported releases. In that case, looks like backporting was opted for instead of updating to 2.64. That is only because RHEL3's spamassassin-2.55 has an incompatible database format with 2.6x, which is not pretty in the case of an automatic update. FC2 doesn't have this problem to go from 2.63 to 2.64. But it looks like the FC1 update was just for 2.63. But maybe I'm just bugzilla'd out for the night. :) Oops, I should have actually read your bug. Anyway 2.64 should be no problem to auto-upgrade from 2.63. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for FC2 to QA: * Fri May 06 2005 Marc Deslauriers <marcdeslauriers> 2.64-2.1.legacy - - Updated to 2.64 to fix CAN-2004-0796 6a5ff8ec3b3af6f23a10e58453c41e8ef4a563a7 spamassassin-2.64-2.1.legacy.i386.rpm 4cfb9a575a413e78ad4380c2bde473c17d5c60fe spamassassin-2.64-2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/spamassassin-2.64-2.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/2/spamassassin-2.64-2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCe/jHLMAs/0C4zNoRAl6NAKCQZGaoTstePqGBwCisPOlxhjDjFACgmDRo vAuSUlXeR/qXJsgtcRcLFtI= =4QCO -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity verifeid - spec file changes minimal +PUBLISH FC2 4cfb9a575a413e78ad4380c2bde473c17d5c60fe spamassassin-2.64-2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCflB5GHbTkzxSL7QRAt1PAKDJspwI/w//5tHjKjveqlZTqTOoJQCfTXGO zYWsTKhxyvoesrsbWfOr4LQ= =gCIu -----END PGP SIGNATURE----- These were pushed to updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verify for package: 6b7fbf447dce761c6dc6c85df6cc336cb31a939a spamassassin-2.64-2.1.legacy.i386.rpm Signature OK Package installs OK spamd starts and runs OK FC2 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC9FMnKe7MLJjUbNMRAsQFAKCT7nILf+CMQc4eew+tyvIvs3jZ1QCgg08H 8NDvqL4Pw3X6BLRnt3zyJqg= =LX1s -----END PGP SIGNATURE----- Thanks! Packages were released. |
Release of new Upstream-Version 2.64 Summary of major changes since 2.63 - ----------------------------------- - Security fix prevents a denial of service attack open to certain malformed messages; this DoS affects all SpamAssassin 2.5x and 2.6x versions to date. - Backported several very reliable rules from the SpamAssassin 3.0.0 codebase.