Red Hat Bugzilla – Bug 171325
CVE-2005-3351 Upgrade to spamassassin-3.0.5
Last modified: 2013-01-09 22:39:42 EST
RHEL4U3 should upgrade to the (not yet released) spamassassin-3.0.5 in order to
fix multiple denial of service issues and many bugs. This maintenance release
improves both runtime safety and spam detection accuracy.
- Spamassassin must constantly evolve in an arms race with hostile entities on
- Thus it must upgrade periodically in order to remain useful.
- 3.x retains API/ABI compatibiltiy with 3rd party software 
- No QA resources are required. Warren will handle all testing.
- Low risk changes due to conservative upstream development policy
Most Important Bugs
- Bug #161785 where our init.d service script fails to restart the spamassassin
service because killing the previous spamd failed.
- Multiple Denial of Service vulnerabilities 
- Failure case where spamassassin can be easily tricked into not scanning a
message, causing complete failure of the filter.
- Many other bugs fixes that improve ability to correctly classify spam.
All patches added to 3.0.x by ASF policy must be only bugfixes following a
careful "RTC" process, that is Review then Commit. Each change must be reviewed
and gain two votes by upstream developers in order to be added. Warren is doing
much real-world and synthetic testing, and also among FC3 and FC4 users.
Warren personally has reviewed and tested every patch that has been added since
3.0.4 in addition to the upstream RTC voting procedure. Risk is furthermore
reduced because everything being added to 3.0.5 is not "new" code but rather
code backported from 3.1.0, the next stable series.
 Theoretically the 3.1.0 release of the next stable series is a fully
compatible and "safe" to drop-in to RHEL4. However in order to reduce risk I
instead wish to backport fixes into 3.0.x for one final 3.0.x maintenance
release for RHEL4. In the future when the 3.1.x series is more proven in
production then it would be appropriate to investigate putting that into RHEL4.
For example, RHEL4U4 could do great with spamassassin-3.1.2.
 All of these issues are already fixed in upstream's 3.1.0 release, however
they have neglected to mention any of the details in public. Details are
CVE-2005-3351 Spamassassin DoS
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.