Bug 129284 - CAN-2004-0796 DOS attack open to certain malformed messages
CAN-2004-0796 DOS attack open to certain malformed messages
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: spamassassin (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-05 17:05 EDT by Michael Metz
Modified: 2007-04-18 13:10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-10 19:48:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Metz 2004-08-05 17:05:28 EDT
Release of new Upstream-Version 2.64

Summary of major changes since 2.63
- -----------------------------------
  - Security fix prevents a denial of service attack open to certain
    malformed messages; this DoS affects all SpamAssassin 2.5x
    and 2.6x versions to date.
  - Backported several very reliable rules from the SpamAssassin 3.0.0
    codebase.
Comment 1 Josh Bressers 2004-08-06 12:53:07 EDT
This issue should also affect FC1.
Comment 2 Robert Scheck 2004-08-06 13:34:54 EDT
BTW, the path from Source0 in the spec file also should be also 
updated, the tar.bz2 is located in another location as it was at 
times of for e.g. 2.63-8...
Comment 3 Matthew Miller 2005-04-11 18:21:11 EDT
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Comment 4 Matthew Miller 2005-04-12 00:52:07 EDT
Looks like bug #152851 was just done for this for earlier Fedora
Legacy-supported releases. In that case, looks like backporting was opted for
instead of updating to 2.64.
Comment 5 Warren Togami 2005-04-12 01:06:34 EDT
That is only because RHEL3's spamassassin-2.55 has an incompatible database
format with 2.6x, which is not pretty in the case of an automatic update.  FC2
doesn't have this problem to go from 2.63 to 2.64.
Comment 6 Matthew Miller 2005-04-12 01:17:34 EDT
But it looks like the FC1 update was just for 2.63. But maybe I'm just
bugzilla'd out for the night. :)
Comment 7 Warren Togami 2005-04-12 01:35:48 EDT
Oops, I should have actually read your bug.  Anyway 2.64 should be no problem to
auto-upgrade from 2.63.
Comment 8 Marc Deslauriers 2005-05-06 19:07:43 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for FC2 to QA:

* Fri May 06 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 2.64-2.1.legacy
- - Updated to 2.64 to fix CAN-2004-0796

6a5ff8ec3b3af6f23a10e58453c41e8ef4a563a7  spamassassin-2.64-2.1.legacy.i386.rpm
4cfb9a575a413e78ad4380c2bde473c17d5c60fe  spamassassin-2.64-2.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/spamassassin-2.64-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/spamassassin-2.64-2.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCe/jHLMAs/0C4zNoRAl6NAKCQZGaoTstePqGBwCisPOlxhjDjFACgmDRo
vAuSUlXeR/qXJsgtcRcLFtI=
=4QCO
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2005-05-08 13:47:18 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity verifeid
 - spec file changes minimal

+PUBLISH FC2

4cfb9a575a413e78ad4380c2bde473c17d5c60fe  spamassassin-2.64-2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCflB5GHbTkzxSL7QRAt1PAKDJspwI/w//5tHjKjveqlZTqTOoJQCfTXGO
zYWsTKhxyvoesrsbWfOr4LQ=
=gCIu
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2005-06-04 15:45:56 EDT
These were pushed to updates-testing.
Comment 11 Jeff Sheltren 2005-08-06 02:05:07 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for package:
6b7fbf447dce761c6dc6c85df6cc336cb31a939a  spamassassin-2.64-2.1.legacy.i386.rpm

Signature OK
Package installs OK
spamd starts and runs OK

FC2 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC9FMnKe7MLJjUbNMRAsQFAKCT7nILf+CMQc4eew+tyvIvs3jZ1QCgg08H
8NDvqL4Pw3X6BLRnt3zyJqg=
=LX1s
-----END PGP SIGNATURE-----
Comment 12 Pekka Savola 2005-08-08 01:22:34 EDT
Thanks!
Comment 13 Marc Deslauriers 2005-08-10 19:48:48 EDT
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.