RHEL4U3 should upgrade to the (not yet released) spamassassin-3.0.5 in order to fix multiple denial of service issues and many bugs. This maintenance release improves both runtime safety and spam detection accuracy. Justification ============= - Spamassassin must constantly evolve in an arms race with hostile entities on the Internet. - Thus it must upgrade periodically in order to remain useful. - 3.x retains API/ABI compatibiltiy with 3rd party software [1] - No QA resources are required. Warren will handle all testing. - Low risk changes due to conservative upstream development policy Most Important Bugs =================== - Bug #161785 where our init.d service script fails to restart the spamassassin service because killing the previous spamd failed. - Multiple Denial of Service vulnerabilities [1] - Failure case where spamassassin can be easily tricked into not scanning a message, causing complete failure of the filter. - Many other bugs fixes that improve ability to correctly classify spam. Low Risk ======== All patches added to 3.0.x by ASF policy must be only bugfixes following a careful "RTC" process, that is Review then Commit. Each change must be reviewed and gain two votes by upstream developers in order to be added. Warren is doing much real-world and synthetic testing, and also among FC3 and FC4 users. Warren personally has reviewed and tested every patch that has been added since 3.0.4 in addition to the upstream RTC voting procedure. Risk is furthermore reduced because everything being added to 3.0.5 is not "new" code but rather code backported from 3.1.0, the next stable series. [1] Theoretically the 3.1.0 release of the next stable series is a fully compatible and "safe" to drop-in to RHEL4. However in order to reduce risk I instead wish to backport fixes into 3.0.x for one final 3.0.x maintenance release for RHEL4. In the future when the 3.1.x series is more proven in production then it would be appropriate to investigate putting that into RHEL4. For example, RHEL4U4 could do great with spamassassin-3.1.2. [2] All of these issues are already fixed in upstream's 3.1.0 release, however they have neglected to mention any of the details in public. Details are forthcoming.
CVE-2005-3351 Spamassassin DoS http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4570
Removing embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0129.html