From mstone@klecker.debian.org Fri Jul 1 07:11:14 2005 From: Michael Stone Resent-From: list@murphy.debian.org (SmartList) To: debian-security-announce@lists.debian.org Date: Fri, 01 Jul 2005 04:12:06 +0200 Reply-To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [SECURITY] [DSA 736-1] New spamassassin packages fix potential DOS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory 736-1 security@debian.org http://www.debian.org/security/ Michael Stone July 01, 2005 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : spamassassin Vulnerability : mail header parsing error Problem type : remote DOS Debian-specific: no CVE Id(s) : CAN-2005-1266 Debian Bug : 314447 A vulnerability was recently found in the way that SpamAssassin parses certain email headers. This vulnerability could cause SpamAssassin to consume a large number of CPU cycles when processing messages containing these headers, leading to a potential denial of service (DOS) attack. The version of SpamAssassin in the old stable distribution (woody) is not vulnerable. For the stable distribution (sarge), this problem has been fixed in version 3.0.3-2. Note that packages are not yet ready for certain architectures; these will be released as they become available. For the unstable distribution (sid), this problem has been fixed in version 3.0.4-1. We recommend that you upgrade your sarge or sid spamassassin package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (sarge) - ------------------ Source archives: http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3-2.diff.gz Size/MD5 checksum: 44610 b1b383fc4f9dc0792ecd954fa99aaa56 http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3.orig.tar.gz Size/MD5 checksum: 999558 ca96f23cd1eb7d663ab55db98ef8090c http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3-2.dsc Size/MD5 checksum: 776 4f3092c679992ad322598f4195f4800c Architecture independent packages: http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3-2_all.deb Size/MD5 checksum: 768948 b2d7f49923aa67d8a016e5a3b3545249 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_alpha.deb Size/MD5 checksum: 61552 84fcd819583c747545fda079a074d987 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_i386.deb Size/MD5 checksum: 58438 18138ce49c9d249fb5d93487e60481a2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_ia64.deb Size/MD5 checksum: 65020 65e214d1922317d511e23c32f7e19ff6 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_m68k.deb Size/MD5 checksum: 57536 b13aad3cb78a148e8838ddfdb301dbd5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_mips.deb Size/MD5 checksum: 60228 8578263361ff0e95ed0bddc2493d620e mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_mipsel.deb Size/MD5 checksum: 60202 2338edb2f9679396005d490232147b7b powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_powerpc.deb Size/MD5 checksum: 60578 e547e452fc5e7ed28b04065af1b677a0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_s390.deb Size/MD5 checksum: 59436 32ab8a7fef23ac35912ae51cc22aad29 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2_sparc.deb Size/MD5 checksum: 58370 8791b8226b25a0bc5381f39257ecd547 - ------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iQCVAwUBQsSl5w0hVr09l8FJAQJckQP+It+rZFa4xKdZUM5f3OWBXEOUdxbsZ3vB Q/2V/PHyNOP2xXT81M+ZUXk+Tggi4TuBFaxXfg/gHOuYE7vcfBfT/hpxjvgDgTXI PDUQSpdRjmPMgQq84eUryJzQNwwXv5iVFjeKDrDTDd3qnBja707XZTUuotYGgUp2 KdvwCAkNzrE= =TN0J -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/