Security Advisory spamassassin security update

Advisory: RHSA-2004:451-05
Type: Security Advisory
Severity: Important
Issued on: 2004-09-30
Last updated on: 2004-09-30
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2004-0796

Details

An updated spamassassin package that fixes a denial of service bug when
parsing malformed messages is now available.

SpamAssassin provides a way to reduce unsolicited commercial email (SPAM)
from incoming email.

A denial of service bug has been found in SpamAssassin versions below 2.64.
A malicious attacker could construct a message in such a way that would
cause spamassassin to stop responding, potentially preventing the delivery
or filtering of email. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0796 to this issue.

Users of SpamAssassin should update to these updated packages which contain
a backported patch and is not vulnerable to this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
spamassassin-2.55-3.2.src.rpm
File outdated by:  RHBA-2004:598
    dc61064510ef1814b033366f15838f7d
 
IA-32:
spamassassin-2.55-3.2.i386.rpm
File outdated by:  RHBA-2004:598
    52dea7b072ab36c717be6fe70e8b72da
 
x86_64:
spamassassin-2.55-3.2.x86_64.rpm
File outdated by:  RHBA-2004:598
    a49500110469d36992245f63ca0ba7ec
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
spamassassin-2.55-3.2.src.rpm
File outdated by:  RHBA-2004:598
    dc61064510ef1814b033366f15838f7d
 
IA-32:
spamassassin-2.55-3.2.i386.rpm
File outdated by:  RHBA-2004:598
    52dea7b072ab36c717be6fe70e8b72da
 
IA-64:
spamassassin-2.55-3.2.ia64.rpm
File outdated by:  RHBA-2004:598
    a53253a30f1eac9bfa99cf48864fbea0
 
PPC:
spamassassin-2.55-3.2.ppc.rpm
File outdated by:  RHBA-2004:598
    f14d7231b8eeb09f44e6a7526d4dba4f
 
s390:
spamassassin-2.55-3.2.s390.rpm
File outdated by:  RHBA-2004:598
    a7fb9f360bffaa24ecd5da9b3406ba1a
 
s390x:
spamassassin-2.55-3.2.s390x.rpm
File outdated by:  RHBA-2004:598
    d259c8305d3661fe8137badccd4dee8c
 
x86_64:
spamassassin-2.55-3.2.x86_64.rpm
File outdated by:  RHBA-2004:598
    a49500110469d36992245f63ca0ba7ec
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
spamassassin-2.55-3.2.src.rpm
File outdated by:  RHBA-2004:598
    dc61064510ef1814b033366f15838f7d
 
IA-32:
spamassassin-2.55-3.2.i386.rpm
File outdated by:  RHBA-2004:598
    52dea7b072ab36c717be6fe70e8b72da
 
IA-64:
spamassassin-2.55-3.2.ia64.rpm
File outdated by:  RHBA-2004:598
    a53253a30f1eac9bfa99cf48864fbea0
 
x86_64:
spamassassin-2.55-3.2.x86_64.rpm
File outdated by:  RHBA-2004:598
    a49500110469d36992245f63ca0ba7ec
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
spamassassin-2.55-3.2.src.rpm
File outdated by:  RHBA-2004:598
    dc61064510ef1814b033366f15838f7d
 
IA-32:
spamassassin-2.55-3.2.i386.rpm
File outdated by:  RHBA-2004:598
    52dea7b072ab36c717be6fe70e8b72da
 
IA-64:
spamassassin-2.55-3.2.ia64.rpm
File outdated by:  RHBA-2004:598
    a53253a30f1eac9bfa99cf48864fbea0
 
x86_64:
spamassassin-2.55-3.2.x86_64.rpm
File outdated by:  RHBA-2004:598
    a49500110469d36992245f63ca0ba7ec
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

129337 - CAN-2004-0796 DOS attack open to certain malformed messages


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/