-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-5096 2010-03-23 23:06:37 --------------------------------------------------------------------------------
Name : spamass-milter Product : Fedora 12 Version : 0.3.1 Release : 18.fc12 URL : http://savannah.nongnu.org/projects/spamass-milt/ Summary : Milter (mail filter) for spamassassin Description : A milter (Mail Filter) application that pipes incoming mail (including things received by rmail/UUCP) through SpamAssassin, a highly customizable spam filter. A milter-compatible MTA such as Sendmail or Postfix is required. -------------------------------------------------------------------------------- Update Information: This update includes a fix for a problem where if the milter is running using the "-x" option to expand aliases before passing inbound mail through SpamAssassin, a malicious client using a carefully-crafted SMTP session could execute arbitrary code on the mail server. The fix avoids the use of a shell in the alias expansion and hence there is no longer a problem with having to sanitize input from the client. This problem has been assigned CVE-2010-1132, which is tracked upstream at https://savannah.nongnu.org/bugs/?29136 The update also contains improved Received-header-generation for message submission and a fix for a problem where the milter would erroneously log warnings about the mail server's configuration when the first message from a non-authenticated client passed through. As part of the fix for this issue, the required milter macro configuration for the mail server has changed slightly: see the README file included in the package for details. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 23 2010 Paul Howarth <[email protected]> 0.3.1-18 - Add patch to get rid of compiler warnings - Reorder and re-base patches to optimize chances of upstream accepting them - Improve Received-header patch (#496763) incorporating additional fix from upstream update (http://savannah.nongnu.org/bugs/?17178) * Fri Mar 12 2010 Paul Howarth <[email protected]> 0.3.1-17 - Update initscript to support running the milter as root, which is needed for the -x (expand aliases) option; note that the milter does not run as root by default - Add patch for popen unsanitized input vulnerability (#572117, #572119, http://savannah.nongnu.org/bugs/?29136) - Rebase authuser patch - Update patch adding auth info to dummy Received-header so that it doesn't generate spurious warnings about missing macros (#532266), and update and merge the macro documentation patch into this patch - Document patch usage in spec file -------------------------------------------------------------------------------- References: [ 1 ] Bug #572117 - SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation) https://bugzilla.redhat.com/show_bug.cgi?id=572117 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update spamass-milter' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
