Bug 171325 - CVE-2005-3351 Upgrade to spamassassin-3.0.5
Summary: CVE-2005-3351 Upgrade to spamassassin-3.0.5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: spamassassin
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Warren Togami
QA Contact:
URL:
Whiteboard: impact=moderate,public=20050905,impac...
Depends On: 171594
Blocks: 168429
TreeView+ depends on / blocked
 
Reported: 2005-10-20 20:19 UTC by Warren Togami
Modified: 2013-01-10 03:39 UTC (History)
3 users (show)

Fixed In Version: RHSA-2006-0129
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-07 18:23:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0129 0 qe-ready SHIPPED_LIVE Moderate: spamassassin security update 2006-03-07 05:00:00 UTC

Description Warren Togami 2005-10-20 20:19:02 UTC 
RHEL4U3 should upgrade to the (not yet released) spamassassin-3.0.5 in order to
fix multiple denial of service issues and many bugs.  This maintenance release
improves both runtime safety and spam detection accuracy.

Justification
=============
- Spamassassin must constantly evolve in an arms race with hostile entities on
the Internet.
- Thus it must upgrade periodically in order to remain useful.
- 3.x retains API/ABI compatibiltiy with 3rd party software [1]
- No QA resources are required.  Warren will handle all testing.
- Low risk changes due to conservative upstream development policy

Most Important Bugs
===================
- Bug #161785 where our init.d service script fails to restart the spamassassin
service because killing the previous spamd failed.
- Multiple Denial of Service vulnerabilities [1]
- Failure case where spamassassin can be easily tricked into not scanning a
message, causing complete failure of the filter.
- Many other bugs fixes that improve ability to correctly classify spam. 

Low Risk
========
All patches added to 3.0.x by ASF policy must be only bugfixes following a
careful "RTC" process, that is Review then Commit.  Each change must be reviewed
and gain two votes by upstream developers in order to be added.  Warren is doing
much real-world and synthetic testing, and also among FC3 and FC4 users.

Warren personally has reviewed and tested every patch that has been added since
3.0.4 in addition to the upstream RTC voting procedure.  Risk is furthermore
reduced because everything being added to 3.0.5 is not "new" code but rather
code backported from 3.1.0, the next stable series.

[1] Theoretically the 3.1.0 release of the next stable series is a fully
compatible and "safe" to drop-in to RHEL4.  However in order to reduce risk I
instead wish to backport fixes into 3.0.x for one final 3.0.x maintenance
release for RHEL4.  In the future when the 3.1.x series is more proven in
production then it would be appropriate to investigate putting that into RHEL4.
 For example, RHEL4U4 could do great with spamassassin-3.1.2.

[2] All of these issues are already fixed in upstream's 3.1.0 release, however
they have neglected to mention any of the details in public.  Details are
forthcoming.
Comment 5 Mark J. Cox 2005-11-01 11:27:55 UTC 
CVE-2005-3351 Spamassassin DoS
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4570
Comment 7 Josh Bressers 2006-03-07 15:47:20 UTC 
Removing embargo
Comment 8 Red Hat Bugzilla 2006-03-07 18:23:26 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0129.html
Note You need to log in before you can comment on or make changes to this bug.