[SECURITY] [DSA 736-2] New spamassassin packages fix potential DOS

2005-07-0801:14:40

lists.debian.org

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Debian Security Advisory DSA 736-2 [email protected]
http://www.debian.org/security/ Michael Stone
July 07, 2005 http://www.debian.org/security/faq

Package : spamassassin
Vulnerability : mail header parsing error
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-1266
Debian Bug : 314447

A vulnerability was recently found in the way that SpamAssassin parses
certain email headers. This vulnerability could cause SpamAssassin to
consume a large number of CPU cycles when processing messages containing
these headers, leading to a potential denial of service (DOS) attack.

The version of SpamAssassin in the old stable distribution (woody) is
not vulnerable.

For the stable distribution (sarge), this problem has been fixed in
version 3.0.3-2. Note that packages are not yet ready for certain
architectures; these will be released as they become available.

For the unstable distribution (sid), this problem has been fixed in
version 3.0.4-1.

The only change since DSA 736-1 is the addition of packages for certain
architectures that were not available at the time of the original
advisory.

We recommend that you upgrade your sarge or sid spamassassin package.

Upgrade instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (sarge)

sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Packages were released for all but arm and hppa in DSA 736-1.

arm architecture (ARM)

http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_arm.deb
  Size/MD5 checksum:    58362 cf463ef4d601f3f6502f891eef928451

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_hppa.deb
  Size/MD5 checksum:    60236 4f6c26a0c8ac1249aa38c17040b18d97

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

OSVersionArchitecturePackageVersionFilename
Debian3.1hppaspamc< 3.0.3-2spamc_3.0.3-2_hppa.deb
Debian3.1allspamassassin< 3.0.3-2spamassassin_3.0.3-2_all.deb
Debian3.1m68kspamc< 3.0.3-2spamc_3.0.3-2_m68k.deb
Debian3.1powerpcspamc< 3.0.3-2spamc_3.0.3-2_powerpc.deb
Debian3.1armspamc< 3.0.3-2spamc_3.0.3-2_arm.deb
Debian3.1mipsspamc< 3.0.3-2spamc_3.0.3-2_mips.deb
Debian3.1s390spamc< 3.0.3-2spamc_3.0.3-2_s390.deb
Debian3.1mipselspamc< 3.0.3-2spamc_3.0.3-2_mipsel.deb
Debian3.1i386spamc< 3.0.3-2spamc_3.0.3-2_i386.deb
Debian3.1amd64spamc< 3.0.3-2spamc_3.0.3-2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	3.1	hppa	spamc	< 3.0.3-2	spamc_3.0.3-2_hppa.deb
Debian	3.1	all	spamassassin	< 3.0.3-2	spamassassin_3.0.3-2_all.deb
Debian	3.1	m68k	spamc	< 3.0.3-2	spamc_3.0.3-2_m68k.deb
Debian	3.1	powerpc	spamc	< 3.0.3-2	spamc_3.0.3-2_powerpc.deb
Debian	3.1	arm	spamc	< 3.0.3-2	spamc_3.0.3-2_arm.deb
Debian	3.1	mips	spamc	< 3.0.3-2	spamc_3.0.3-2_mips.deb
Debian	3.1	s390	spamc	< 3.0.3-2	spamc_3.0.3-2_s390.deb
Debian	3.1	mipsel	spamc	< 3.0.3-2	spamc_3.0.3-2_mipsel.deb
Debian	3.1	i386	spamc	< 3.0.3-2	spamc_3.0.3-2_i386.deb
Debian	3.1	amd64	spamc	< 3.0.3-2	spamc_3.0.3-2_amd64.deb