Ok, sounds safe enough. On Monday, December 7, 2009, Mark Martinec <[email protected]> wrote: > On Sunday December 6 2009 13:39:51 Justin Mason wrote: >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1391 > >> Do we need to do anything about this? > > Probably not. The Compress::Raw::Zlib is used by Compress::Zlib > which is used by SpamAssassin to optionally decompress spamc/spamd > communication, at least the DependencyInfo.pm claims so. > This could potentially be exploited by a rogue spamc-lookalike > client (which could fabricate an arbitrary zip), but not by > mail compressed by a regular spamc. I think the mail compressed > attachments are not decompressed by SpamAssassin at all. > > On the amavisd side (as mentioned in the CVE), the version 2.017 > of Compress::Raw::Zlib is enforced since amavisd-new-2.6.4, > released in June 2009. > > Mark > >
-- --j.
