There is a DoS in apparantly all versions of spamassassin prior to
3.1.8 (which is not released yet). A carefully crafted message can
cause SpamAssassin to consume significant resources which could lead
to a DoS if an attacker sends many such messages:
Also affects RHEL4.
I presume this flaw affects RHEL3 as well. Is the plan to upgrade to
spamassassin 3.1.8, or to backport this fix?
It appears we lucked out. RHEL3 is not effected in such a dangerous way. Just
a slight delay, and no huge CPU or memory usage. I suspect we need not touch it
for this CVE. Will do further verification.
Upstream is releasing 3.1.8 today, and I am pushing it to Fedora now.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.