Bug 171325 - CVE-2005-3351 Upgrade to spamassassin-3.0.5
CVE-2005-3351 Upgrade to spamassassin-3.0.5
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: spamassassin (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
: Security
Depends On: 171594
Blocks: 168429
  Show dependency treegraph
Reported: 2005-10-20 16:19 EDT by Warren Togami
Modified: 2013-01-09 22:39 EST (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0129
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-07 13:23:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0129 qe-ready SHIPPED_LIVE Moderate: spamassassin security update 2006-03-07 00:00:00 EST

  None (edit)
Description Warren Togami 2005-10-20 16:19:02 EDT
RHEL4U3 should upgrade to the (not yet released) spamassassin-3.0.5 in order to
fix multiple denial of service issues and many bugs.  This maintenance release
improves both runtime safety and spam detection accuracy.

- Spamassassin must constantly evolve in an arms race with hostile entities on
the Internet.
- Thus it must upgrade periodically in order to remain useful.
- 3.x retains API/ABI compatibiltiy with 3rd party software [1]
- No QA resources are required.  Warren will handle all testing.
- Low risk changes due to conservative upstream development policy

Most Important Bugs
- Bug #161785 where our init.d service script fails to restart the spamassassin
service because killing the previous spamd failed.
- Multiple Denial of Service vulnerabilities [1]
- Failure case where spamassassin can be easily tricked into not scanning a
message, causing complete failure of the filter.
- Many other bugs fixes that improve ability to correctly classify spam. 

Low Risk
All patches added to 3.0.x by ASF policy must be only bugfixes following a
careful "RTC" process, that is Review then Commit.  Each change must be reviewed
and gain two votes by upstream developers in order to be added.  Warren is doing
much real-world and synthetic testing, and also among FC3 and FC4 users.

Warren personally has reviewed and tested every patch that has been added since
3.0.4 in addition to the upstream RTC voting procedure.  Risk is furthermore
reduced because everything being added to 3.0.5 is not "new" code but rather
code backported from 3.1.0, the next stable series.

[1] Theoretically the 3.1.0 release of the next stable series is a fully
compatible and "safe" to drop-in to RHEL4.  However in order to reduce risk I
instead wish to backport fixes into 3.0.x for one final 3.0.x maintenance
release for RHEL4.  In the future when the 3.1.x series is more proven in
production then it would be appropriate to investigate putting that into RHEL4.
 For example, RHEL4U4 could do great with spamassassin-3.1.2.

[2] All of these issues are already fixed in upstream's 3.1.0 release, however
they have neglected to mention any of the details in public.  Details are
Comment 5 Mark J. Cox 2005-11-01 06:27:55 EST
CVE-2005-3351 Spamassassin DoS
Comment 7 Josh Bressers 2006-03-07 10:47:20 EST
Removing embargo
Comment 8 Red Hat Bugzilla 2006-03-07 13:23:26 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.