http://secunia.com/advisories/12255/ A vulnerability has been discovered in SpamAssassin, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the processing of certain malformed messages. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796 Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129284 ------- Additional Comments From rob.myers.edu 2004-11-16 08:03:25 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated spamassassin package to QA for fc1: - - patch from RHEL3 for CAN-2004-0796 applied changelog: * Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.63-0.2.1.legacy - - patch for CAN-2004-0796 (FL #2268) sha1sums: f1bb38bb40c5722618707c685c37ceb5b3479511 spamassassin-2.63-0.2.1.legacy.i386.rpm c0910fd8c7bae3c43e196fd62014606449f287a5 spamassassin-2.63-0.2.1.legacy.src.rpm 44636e571d4ec3f9f19052b3664459808c3ed50c spamassassin-debuginfo-2.63-0.2.1.legacy.i386.rpm files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-2.63-0.2.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-2.63-0.2.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/spamassassin-debuginfo-2.63-0.2.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBmkAitU2XAt1OWnsRAsyyAJ9j7kz/0RlWzZXC7A+HefR3JtIokwCfb0Qc Zrsy6X89Ozrnr1r62yr4dA0= =dIDF -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-19 08:01:35 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on SRPM w/ rpm-build-compare.sh: - original packaging and other files OK - only very minimal specfile changes - the patch verified to come from RHEL. - compilation or install not tested; to be done in at updates-testing. However, it must be noted that RHEL ships with 2.55, and this is 2.63. Therefore I went and looked at the diff between upstream 2.63 and 2.64 releases, and noticed two differences wrt. the security parts: 1) in lib/Mail/SpamAssassin/Bayes.pm, tokenize_headers() is not patched to include the upper limits. I think this is a problem. 2) in the header, there are some diffs wrt TOKENIZE_LONG_TOKENS_AS_SKIPS, BODY_TOKENIZE_LONG_TOKENS_AS_SKIPS and the like, but the patch is not trying to change them, so this is not a problem (except possibly for applying the patch) I'm going to re-open the RHEL3 PR for 1), but in the meantime, I'd suggest that if we move forward, we'll use the a patch between spamassassin-2.63 and spamassassin-2.64, minus the changes to the rules. I've also attached one for reference. I've packaged the patch (on RHL73, not tested!) at: http://www.netcore.fi/pekkas/linux/spamassassin-2.63-0.2.2.legacy.src.rpm SHA1: 9b1bc0b64756a7e3746959cf3f32ee397de9df9c spamassassin-2.63-0.2.2.legacy.src.rpm Changelog: * Sun Dec 19 2004 Pekka Savola <pekkas> 2.63-0.2.2.legacy - - more extensive patch for CAN-2004-0796 (from 2.64) * Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.63-0.2.1.legacy - - patch for CAN-2004-0796 (FL #2268) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBxcHbGHbTkzxSL7QRAmoJAJwOFJPRNIDZE8fRvOvR5XXkJ72dEQCfQb5u z+oltzFZ6TYBLnVPZvyR4xM= =ym5r -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-02 16:51:41 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the package in comment 2: 9b1bc0b64756a7e3746959cf3f32ee397de9df9c spamassassin-2.63-0.2.2.legacy.src.rpm - - Source files match previous release - - Patch file looks good (RH patch did look broken) - - Spec file changes good +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCJnuyLMAs/0C4zNoRAlplAKC/dCXxhYx0suG6bfbK8uz4CM5ywACgwD7Y l1QUh8XB+eU2gBtAIru6mVM= =pSKb -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-05 04:56:22 ---- Packages were pushed to updates-testing ------- Additional Comments From marcdeslauriers 2005-03-06 14:29:53 ---- Updated packages were pushed to updates-testing. ------- Additional Comments From mark.scott 2005-03-22 01:37:25 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on FC1 spamassassin package: e76200ac598d6cb56ec18b92cfe6ce6af0181683 spamassassin-2.63-0.2.2.legacy.i386.rpm sha1sum ok gpg sig ok install ok tested spamassassin against POC mentioned in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337#c3 time cat 999 | spamassassin > /dev/null real 0m46.607s user 0m27.280s sys 0m13.600s I think that means it's fine. Output looks normal. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCQANXl2I0fYrP+68RAh1RAKCHUOp6nt2MShOjfcVS1ogy8sfSBQCgpjfE cihr/uGq1b5CjGfgWiKim04= =mFg4 -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2268 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2268 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was fedora-legacy-bugzilla-2004. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Updated packages were released for this issue.
FWIW, FC2 bug #129284 was never resolved, and now it's a Legacy issue.