Bug 171325

Summary: CVE-2005-3351 Upgrade to spamassassin-3.0.5
Product: Red Hat Enterprise Linux 4 Reporter: Warren Togami <wtogami>
Component: spamassassinAssignee: Warren Togami <wtogami>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: dcantrell, security-response-team, tburke
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20050905,impact=moderate,reported=20051020
Fixed In Version: RHSA-2006-0129 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-07 18:23:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 171594    
Bug Blocks: 168429    

Description Warren Togami 2005-10-20 20:19:02 UTC 
RHEL4U3 should upgrade to the (not yet released) spamassassin-3.0.5 in order to
fix multiple denial of service issues and many bugs.  This maintenance release
improves both runtime safety and spam detection accuracy.

Justification
=============
- Spamassassin must constantly evolve in an arms race with hostile entities on
the Internet.
- Thus it must upgrade periodically in order to remain useful.
- 3.x retains API/ABI compatibiltiy with 3rd party software [1]
- No QA resources are required.  Warren will handle all testing.
- Low risk changes due to conservative upstream development policy

Most Important Bugs
===================
- Bug #161785 where our init.d service script fails to restart the spamassassin
service because killing the previous spamd failed.
- Multiple Denial of Service vulnerabilities [1]
- Failure case where spamassassin can be easily tricked into not scanning a
message, causing complete failure of the filter.
- Many other bugs fixes that improve ability to correctly classify spam. 

Low Risk
========
All patches added to 3.0.x by ASF policy must be only bugfixes following a
careful "RTC" process, that is Review then Commit.  Each change must be reviewed
and gain two votes by upstream developers in order to be added.  Warren is doing
much real-world and synthetic testing, and also among FC3 and FC4 users.

Warren personally has reviewed and tested every patch that has been added since
3.0.4 in addition to the upstream RTC voting procedure.  Risk is furthermore
reduced because everything being added to 3.0.5 is not "new" code but rather
code backported from 3.1.0, the next stable series.

[1] Theoretically the 3.1.0 release of the next stable series is a fully
compatible and "safe" to drop-in to RHEL4.  However in order to reduce risk I
instead wish to backport fixes into 3.0.x for one final 3.0.x maintenance
release for RHEL4.  In the future when the 3.1.x series is more proven in
production then it would be appropriate to investigate putting that into RHEL4.
 For example, RHEL4U4 could do great with spamassassin-3.1.2.

[2] All of these issues are already fixed in upstream's 3.1.0 release, however
they have neglected to mention any of the details in public.  Details are
forthcoming.
Comment 5 Mark J. Cox 2005-11-01 11:27:55 UTC 
CVE-2005-3351 Spamassassin DoS
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4570
Comment 7 Josh Bressers 2006-03-07 15:47:20 UTC 
Removing embargo
Comment 8 Red Hat Bugzilla 2006-03-07 18:23:26 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0129.html