There is a DoS in apparantly all versions of spamassassin prior to 3.1.8 (which is not released yet). A carefully crafted message can cause SpamAssassin to consume significant resources which could lead to a DoS if an attacker sends many such messages: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5318 Also affects RHEL4. Patch here: http://svn.apache.org/viewvc?view=rev&revision=507102
I presume this flaw affects RHEL3 as well. Is the plan to upgrade to spamassassin 3.1.8, or to backport this fix?
It appears we lucked out. RHEL3 is not effected in such a dangerous way. Just a slight delay, and no huge CPU or memory usage. I suspect we need not touch it for this CVE. Will do further verification. Upstream is releasing 3.1.8 today, and I am pushing it to Fedora now.
Lifting Embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0074.html