89541 2003-02-03 16:23 /43 rader/ Daniel Ahlberg <aliz@gentoo.org> Importerad: 2003-02-03 16:23 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3326> Ärende: GLSA: Mail-SpamAssasin ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200302-01 - - -------------------------------------------------------------------- PACKAGE : Mail-SpamAssasin SUMMARY : arbitrary code execution DATE : 2003-02-02 13:25 UTC EXPLOIT : remote - - -------------------------------------------------------------------- - From advisory: "Attacker may be able to execute arbitrary code by sending a specially crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode (-B option). Versions from 2.40 to 2.43 are affected." Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=104342896818777&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running dev-perl/Mail-SpamAssasin to Mail-SpamAssasin-2.44 as follows: emerge sync emerge -u Mail-SpamAssasin emerge clean - - -------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+PRxAfT7nyhUpoZMRAjBlAKCIBHUPx/LE/JJg130OosBtzfXNyACfY+/n hQ1myVlS8MPcIc1BGzoLZzM= =y8WM -----END PGP SIGNATURE----- (89541) /Daniel Ahlberg <aliz@gentoo.org>/---------- 89561 2003-02-03 19:18 /52 rader/ Eric Vollmer <evollmer@nycap.rr.com> Importerad: 2003-02-03 19:18 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3338> Kommentar till text 89541 av Daniel Ahlberg <aliz@gentoo.org> Ärende: Re: GLSA: Mail-SpamAssasin ------------------------------------------------------------ Does anyone know if this effects the Mail::SpamAssassin perl libraries when used with amavisd-new? Eric Vollmer At 02:25 PM 2/2/2003 +0100, Daniel Ahlberg wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >- - -------------------------------------------------------------------- >GENTOO LINUX SECURITY ANNOUNCEMENT 200302-01 >- - -------------------------------------------------------------------- > >PACKAGE : Mail-SpamAssasin >SUMMARY : arbitrary code execution >DATE : 2003-02-02 13:25 UTC >EXPLOIT : remote > >- - -------------------------------------------------------------------- > >- From advisory: > >"Attacker may be able to execute arbitrary code by sending a specially >crafted e-mail to a system using SpamAssassin's spamc program in BSMTP >mode (-B option). Versions from 2.40 to 2.43 are affected." > >Read the full advisory at >http://marc.theaimsgroup.com/?l=bugtraq&m=104342896818777&w=2 > >SOLUTION > >It is recommended that all Gentoo Linux users who are running >dev-perl/Mail-SpamAssasin to Mail-SpamAssasin-2.44 as follows: > >emerge sync >emerge -u Mail-SpamAssasin >emerge clean > >- - -------------------------------------------------------------------- >aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz >- - -------------------------------------------------------------------- >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (GNU/Linux) > >iD8DBQE+PRxAfT7nyhUpoZMRAjBlAKCIBHUPx/LE/JJg130OosBtzfXNyACfY+/n >hQ1myVlS8MPcIc1BGzoLZzM= >=y8WM >-----END PGP SIGNATURE----- (89561) /Eric Vollmer <evollmer@nycap.rr.com>/(Ombruten) 89702 2003-02-05 02:35 /36 rader/ Mark Martinec <Mark.Martinec@ijs.si> Importerad: 2003-02-05 02:35 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3390> Ärende: Re: GLSA: Mail-SpamAssasin ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- From: Eric Vollmer | Does anyone know if this effects the Mail::SpamAssassin | perl libraries when used with amavisd-new? The bug described in http://marc.theaimsgroup.com/?l=bugtraq&m=104342896818777&w=2 is in the C code of the spamc program. It is not in the Mail::SpamAssassin Perl module. Amavisd-new ( http://www.ijs.si/software/amavisd/ ) calls Mail::SpamAssassin Perl module directly, and does not use spamc/spamd. It is unaffected by this bug. Regards Mark - -- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Mark Martinec (system manager) tel +386 1 4773-575 !! !! J. Stefan Institute, Jamova 39 fax +386 1 2519-385 !! !! SI-1000 Ljubljana, Slovenia mark.martinec@ijs.si !! !!!!!!!!!!!!!!!!!!!!!!!!!! http://www.ijs.si/people/mark/ !!!! -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPkAro1oeOlRDTxRxAQEQ9QP/Zhvm7ZG9Y0cwmDl/ZlTwUkBs+jTEWS9+ iahbXYUz9cgFssixvobSzE87+OsGmuXjH686pvfGgCd8tSQFJS21u4E/Z2c+S/Tb f3EEGDOWI7XCSjxlqpEWdxfKavRuOPMJxG4vLnFkbyYpxjE+BfScG91YQ89u3XGU HldabmQ64zM= =ZGGm -----END PGP SIGNATURE----- (89702) /Mark Martinec <Mark.Martinec@ijs.si>/------