MailScanner does not use spamd, but the perl api of spamassassin, so it is not vulnerable.
Jase > -----Original Message----- > From: James Harper [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 06, 2006 6:19 AM > To: [email protected]; Debian Security Announcements > Subject: RE: [SECURITY] [DSA 1090-1] New spamassassin > packages fix remote command execution > > No mention of if this is exploitable when spamassassin is used by > MailScanner? > > James > > > -----Original Message----- > > From: Martin Schulze [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, 6 June 2006 19:18 > > To: Debian Security Announcements > > Subject: [SECURITY] [DSA 1090-1] New spamassassin packages > fix remote > > command execution > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > - > -------------------------------------------------------------- > ---------- > > -- > > Debian Security Advisory DSA 1090-1 > [EMAIL PROTECTED] > > http://www.debian.org/security/ Martin > Schulze > > June 6th, 2006 > http://www.debian.org/security/faq > > - > -------------------------------------------------------------- > ---------- > > -- > > > > Package : spamassassin > > Vulnerability : programming error > > Problem type : remote > > Debian-specific: no > > CVE ID : CVE-2006-2447 > > > > A vulnerability has been discoverd in SpamAssassin, a > Perl-based spam > > filter using text analysis, that can allow remote attackers > to execute > > arbitrary commands. This problem only affects systems > where spamd is > > reachable via the internet and used with vpopmail virtual users, via > > the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid" > > switch which is not the default setting on Debian. > > > > The old stable distribution (woody) is not affected by this problem. > > > > For the stable distribution (sarge) this problem has been fixed in > > version 3.0.3-2sarge1. > > > > For the volatile archive for the stable distribution (sarge) this > > problem has been fixed in version 3.1.0a-0volatile3. > > > > For the unstable distribution (sid) this problem has been fixed in > > version 3.1.3-1. > > > > We recommend that you upgrade your spamd package. > > > > > > Upgrade Instructions > > - -------------------- > > > > wget url > > will fetch the file for you > > dpkg -i file.deb > > will install the referenced file. > > > > If you are using the apt-get package manager, use the line for > > sources.list as given at the end of this advisory: > > > > apt-get update > > will update the internal database > > apt-get upgrade > > will install corrected packages > > > > You may use an automated update by adding the resources from the > > footer to the proper configuration. > > > > > > Debian GNU/Linux 3.1 alias sarge > > - -------------------------------- > > > > Source archives: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amassassin > _3 > > .0.3-2sarge1.dsc > > Size/MD5 checksum: 788 f9cce6d19fd73d0d62561a14672e9564 > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amassassin > _3 > > .0.3-2sarge1.diff.gz > > Size/MD5 checksum: 45414 8804e76766eefa4324509b94dc005afa > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amassassin > _3 > > .0.3.orig.tar.gz > > Size/MD5 checksum: 999558 ca96f23cd1eb7d663ab55db98ef8090c > > > > Architecture independent components: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amassassin > _3 > > .0.3-2sarge1_all.deb > > Size/MD5 checksum: 769158 c4f10367da201b11d09a1c15da946f3b > > > > Alpha architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_alpha.deb > > Size/MD5 checksum: 61720 3415e7c2962d21b897c6301c8ce88d8c > > > > AMD64 architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_amd64.deb > > Size/MD5 checksum: 59700 4ee41384f107a46440c74bd2c6ff3cd4 > > > > ARM architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_arm.deb > > Size/MD5 checksum: 58494 909e85063300d2ddfc38270e19f39b9c > > > > Intel IA-32 architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_i386.deb > > Size/MD5 checksum: 57626 adb71b8190e535646d936333da1180ca > > > > Intel IA-64 architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_ia64.deb > > Size/MD5 checksum: 65166 63435fc25e69eb3dcbdd95b9f682fbe5 > > > > HP Precision architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_hppa.deb > > Size/MD5 checksum: 60366 7eb8b16a9701e96f2298cb0506bc2aa9 > > > > Motorola 680x0 architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_m68k.deb > > Size/MD5 checksum: 57672 66ca12aa5edec5380b6d8eb959fab045 > > > > Big endian MIPS architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_mips.deb > > Size/MD5 checksum: 60362 98cf7bd2a3db3fa65b9f6ded3891a695 > > > > Little endian MIPS architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_mipsel.deb > > Size/MD5 checksum: 60354 47bc85b216aad03d54f2a7a342cef760 > > > > PowerPC architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_powerpc.deb > > Size/MD5 checksum: 60730 c408427db34e9d38c982190c8e8ff8d5 > > > > IBM S/390 architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_s390.deb > > Size/MD5 checksum: 59574 b3fc066015148c10ad11d4055a1a2289 > > > > Sun Sparc architecture: > > > > > > > http://security.debian.org/pool/updates/main/s/spamassassin/sp > amc_3.0.3- > > 2sarge1_sparc.deb > > Size/MD5 checksum: 58492 a20e3d4ed9fd9a9d013f380e0f4b3c33 > > > > > > These files will probably be moved into the stable distribution on > > its next update. > > > > - > -------------------------------------------------------------- > ---------- > > --------- > > For apt-get: deb http://security.debian.org/ stable/updates main > > For dpkg-ftp: ftp://security.debian.org/debian-security > > dists/stable/updates/main > > Mailing list: [email protected] > > Package info: `apt-cache show <pkg>' and > http://packages.debian.org/<pkg> > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.3 (GNU/Linux) > > > > iD8DBQFEhUg2W5ql+IAeqTIRAqYvAJ9zROIt29/b4xbxABryGPfIyY1LmQCfeVAg > > HIBRtO9PaYZZAg7rsdQEcJs= > > =wS/1 > > -----END PGP SIGNATURE----- > > > > > > -- > > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > >
