No mention of if this is exploitable when spamassassin is used by MailScanner?
James > -----Original Message----- > From: Martin Schulze [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 6 June 2006 19:18 > To: Debian Security Announcements > Subject: [SECURITY] [DSA 1090-1] New spamassassin packages fix remote > command execution > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > -- > Debian Security Advisory DSA 1090-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > June 6th, 2006 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > -- > > Package : spamassassin > Vulnerability : programming error > Problem type : remote > Debian-specific: no > CVE ID : CVE-2006-2447 > > A vulnerability has been discoverd in SpamAssassin, a Perl-based spam > filter using text analysis, that can allow remote attackers to execute > arbitrary commands. This problem only affects systems where spamd is > reachable via the internet and used with vpopmail virtual users, via > the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid" > switch which is not the default setting on Debian. > > The old stable distribution (woody) is not affected by this problem. > > For the stable distribution (sarge) this problem has been fixed in > version 3.0.3-2sarge1. > > For the volatile archive for the stable distribution (sarge) this > problem has been fixed in version 3.1.0a-0volatile3. > > For the unstable distribution (sid) this problem has been fixed in > version 3.1.3-1. > > We recommend that you upgrade your spamd package. > > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given at the end of this advisory: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.1 alias sarge > - -------------------------------- > > Source archives: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin _3 > .0.3-2sarge1.dsc > Size/MD5 checksum: 788 f9cce6d19fd73d0d62561a14672e9564 > > http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin _3 > .0.3-2sarge1.diff.gz > Size/MD5 checksum: 45414 8804e76766eefa4324509b94dc005afa > > http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin _3 > .0.3.orig.tar.gz > Size/MD5 checksum: 999558 ca96f23cd1eb7d663ab55db98ef8090c > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin _3 > .0.3-2sarge1_all.deb > Size/MD5 checksum: 769158 c4f10367da201b11d09a1c15da946f3b > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_alpha.deb > Size/MD5 checksum: 61720 3415e7c2962d21b897c6301c8ce88d8c > > AMD64 architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_amd64.deb > Size/MD5 checksum: 59700 4ee41384f107a46440c74bd2c6ff3cd4 > > ARM architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_arm.deb > Size/MD5 checksum: 58494 909e85063300d2ddfc38270e19f39b9c > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_i386.deb > Size/MD5 checksum: 57626 adb71b8190e535646d936333da1180ca > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_ia64.deb > Size/MD5 checksum: 65166 63435fc25e69eb3dcbdd95b9f682fbe5 > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_hppa.deb > Size/MD5 checksum: 60366 7eb8b16a9701e96f2298cb0506bc2aa9 > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_m68k.deb > Size/MD5 checksum: 57672 66ca12aa5edec5380b6d8eb959fab045 > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_mips.deb > Size/MD5 checksum: 60362 98cf7bd2a3db3fa65b9f6ded3891a695 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_mipsel.deb > Size/MD5 checksum: 60354 47bc85b216aad03d54f2a7a342cef760 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_powerpc.deb > Size/MD5 checksum: 60730 c408427db34e9d38c982190c8e8ff8d5 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_s390.deb > Size/MD5 checksum: 59574 b3fc066015148c10ad11d4055a1a2289 > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3- > 2sarge1_sparc.deb > Size/MD5 checksum: 58492 a20e3d4ed9fd9a9d013f380e0f4b3c33 > > > These files will probably be moved into the stable distribution on > its next update. > > - ------------------------------------------------------------------------ > --------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: [email protected] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > > iD8DBQFEhUg2W5ql+IAeqTIRAqYvAJ9zROIt29/b4xbxABryGPfIyY1LmQCfeVAg > HIBRtO9PaYZZAg7rsdQEcJs= > =wS/1 > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
