-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-5176 2010-03-23 23:08:56 --------------------------------------------------------------------------------
Name : spamass-milter Product : Fedora 11 Version : 0.3.1 Release : 18.fc11 URL : http://savannah.nongnu.org/projects/spamass-milt/ Summary : Milter (mail filter) for spamassassin Description : A milter (Mail Filter) application that pipes incoming mail (including things received by rmail/UUCP) through SpamAssassin, a highly customizable spam filter. A milter-compatible MTA such as Sendmail or Postfix is required. -------------------------------------------------------------------------------- Update Information: This update includes a fix for a problem where if the milter is running using the "-x" option to expand aliases before passing inbound mail through SpamAssassin, a malicious client using a carefully-crafted SMTP session could execute arbitrary code on the mail server. The fix avoids the use of a shell in the alias expansion and hence there is no longer a problem with having to sanitize input from the client. This problem has been assigned CVE-2010-1132, which is tracked upstream at https://savannah.nongnu.org/bugs/?29136 The update also contains improved Received-header-generation for message submission and a fix for a problem where the milter would erroneously log warnings about the mail server's configuration when the first message from a non-authenticated client passed through. As part of the fix for this issue, the required milter macro configuration for the mail server has changed slightly: see the README file included in the package for details. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 23 2010 Paul Howarth <[email protected]> 0.3.1-18 - Add patch to get rid of compiler warnings - Reorder and re-base patches to optimize chances of upstream accepting them - Improve Received-header patch (#496763) incorporating additional fix from upstream update (http://savannah.nongnu.org/bugs/?17178) * Fri Mar 12 2010 Paul Howarth <[email protected]> 0.3.1-17 - Update initscript to support running the milter as root, which is needed for the -x (expand aliases) option; note that the milter does not run as root by default - Add patch for popen unsanitized input vulnerability (#572117, #572119, http://savannah.nongnu.org/bugs/?29136) - Rebase authuser patch - Update patch adding auth info to dummy Received-header so that it doesn't generate spurious warnings about missing macros (#532266), and update and merge the macro documentation patch into this patch - Document patch usage in spec file * Tue Aug 11 2009 Paul Howarth <[email protected]> 0.3.1-16 - Switch to bzipped source tarball * Sun Jul 26 2009 Fedora Release Engineering <[email protected]> 0.3.1-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Fri Apr 24 2009 Paul Howarth <[email protected]> 0.3.1-14 - Fix Received-header generation (#496763) - Add authentication info to dummy Received-header (#496769) - Add option to skip checks for authenticated senders (#437506, #496767) (thanks to Habeeb J. Dihu for the reports and patches) -------------------------------------------------------------------------------- References: [ 1 ] Bug #572117 - SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation) https://bugzilla.redhat.com/show_bug.cgi?id=572117 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update spamass-milter' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
