Debian Bug report logs - #314447
spamassassin: CAN-2005-1266 Denial of Service Vulnerability in SpamAssassin 3.0.1-3.0.3, fixed in 3.0.4

version graph

Package: spamassassin; Maintainer for spamassassin is Noah Meyerhans <noahm@debian.org>; Source for spamassassin is src:spamassassin.

Reported by: Paddy Smith <paddy@panici.net>

Date: Thu, 16 Jun 2005 11:03:03 UTC

Severity: important

Tags: fixed-upstream, sarge, security

Found in version 3.0.3-1

Done: Duncan Findlay <duncf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>:
Bug#314447; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to Paddy Smith <paddy@panici.net>:
New Bug report received and forwarded. Copy sent to Duncan Findlay <duncf@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paddy Smith <paddy@panici.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: spamassassin: CAN-2005-1266 Denial of Service Vulnerability in SpamAssassin 3.0.1-3.0.3, fixed in 3.0.4
Date: Thu, 16 Jun 2005 10:45:02 +0000
Package: spamassassin
Version: 3.0.3-1
Severity: important
Tags: security, fixed-upstream

as per:

> From announce-return-9-paddy=panici.net@spamassassin.apache.org  Wed Jun 15 21:12:13 2005
> From: Daniel Quinlan <quinlan@pathname.com>
> To: announce@spamassassin.apache.org
> Subject: Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3
> 
> Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
> of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  The
> vulnerability allows certain misformatted long message headers to cause
> spam checking to take a very long time.
> 
> While the exploit has yet to be seen in the wild, we are concerned that
> there may be attempts to abuse the vulnerability in the future.
> Therefore, we strongly recommend all users of these versions upgrade to
> Apache SpamAssassin 3.0.4 as soon as possible.
> 
> This issue has been assigned CVE id CAN-2005-1266 [1].
> 
> To contact the Apache SpamAssassin security team, please e-mail
> security at spamassassin.apache.org.  For more information about Apache
> SpamAssassin, visit the http://spamassassin.apache.org/ web site.
> 
> Apache SpamAssassin Security Team
> 
> [0]: http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/%3c20050606223631.GG11538@kluge.net%3e
> 
> [1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

Although CVE still says "When the candidate has been publicized, the
details for this candidate will be provided." 

Wasn't sure what severity to give this.

Regards,
Paddy

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages spamassassin depends on:
hi  debconf                       1.4.30.13  Debian configuration management sy
hi  libdigest-sha1-perl           2.10-1     NIST SHA-1 message digest algorith
hi  libhtml-parser-perl           3.45-2     A collection of modules that parse
hi  perl [libstorable-perl]       5.8.4-8    Larry Wall's Practical Extraction 
hi  spamc                         3.0.3-1    Client for SpamAssassin spam filte

-- debconf information:
  spamassassin/upgrade/2.40:
  spamassassin/upgrade/2.40w:
  spamassassin/upgrade/cancel: Continue
  spamassassin/upgrade/2.42m: No
  spamassassin/upgrade/2.42u: No



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#314447; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to Duncan Findlay <duncf@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 314447@bugs.debian.org (full text, mbox):

From: Duncan Findlay <duncf@debian.org>
To: Paddy Smith <paddy@panici.net>, 314447@bugs.debian.org
Subject: Re: Bug#314447: spamassassin: CAN-2005-1266 Denial of Service Vulnerability in SpamAssassin 3.0.1-3.0.3, fixed in 3.0.4
Date: Thu, 16 Jun 2005 12:51:56 -0400
[Message part 1 (text/plain, inline)]
yOn Thu, Jun 16, 2005 at 10:45:02AM +0000, Paddy Smith wrote:
> Package: spamassassin
> Version: 3.0.3-1
> Severity: important
> Tags: security, fixed-upstream
> 
> > Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
> > of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  The
> > vulnerability allows certain misformatted long message headers to cause
> > spam checking to take a very long time.

A fixed package has already been given to the security team - but as
of yet they have failed to act on it.

-- 
Duncan Findlay
[signature.asc (application/pgp-signature, inline)]

Severity set to `critical'. Request was from Adam Majer <adamm@zombino.com> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>:
Bug#314447; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to Willi Mann <willi@wm1.at>:
Extra info received and forwarded to list. Copy sent to Duncan Findlay <duncf@debian.org>. Full text and rfc822 format available.

Message #21 received at 314447@bugs.debian.org (full text, mbox):

From: Willi Mann <willi@wm1.at>
To: 314447@bugs.debian.org
Subject: package somewhere available?
Date: Tue, 28 Jun 2005 22:55:01 +0200
Hi Duncan!

Could you make the fixed package for sarge somewhere available (at least the 
source), until the security team catches up?

The lack of offical packages is already widely known, at least since 
yesterday. See

http://lists.debian.org/debian-security/2005/06/msg00142.html

thanks
Willi



Information forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>:
Bug#314447; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to paddy <paddy@panici.net>:
Extra info received and forwarded to list. Copy sent to Duncan Findlay <duncf@debian.org>. Full text and rfc822 format available.

Message #26 received at 314447@bugs.debian.org (full text, mbox):

From: paddy <paddy@panici.net>
To: 314447@bugs.debian.org
Subject: Re: package somewhere available?
Date: Thu, 30 Jun 2005 18:41:19 +0100
Willi,

Its already there, and (I'm fairly sure) was there before I posted the bug. 
(I meant to check but I forgot!)  I think that the Sarge tag also means this.

# apt-cache showsrc spamassassin
Package: spamassassin
Binary: spamassassin, spamc
Version: 3.0.4-2
Priority: optional
Section: mail
Maintainer: Duncan Findlay <duncf@debian.org>
Build-Depends: debhelper (>= 4.1.16), perl (>= 5.6.0-16), libssl-dev, dpatch, libdigest-sha1-perl, libhtml-parser-perl (>= 3.24), libmime-base64-perl | perl (>= 5.8.0)
Architecture: any
Standards-Version: 3.6.1
Format: 1.0
Directory: pool/main/s/spamassassin
Files:
 251e0bb1778c8d816a7ce94fa47b82ac 777 spamassassin_3.0.4-2.dsc
 51926fe5aabaf57eed2c09061fe8fb02 1001430 spamassassin_3.0.4.orig.tar.gz
 6c182f1ce2980d5ba07fc100f3815e28 47354 spamassassin_3.0.4-2.diff.gz
Uploaders: Jesus Climent <jesus.climent@hispalinux.es>

Regards,
Paddy
-- 
Perl 6 will give you the big knob. -- Larry Wall



Information forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>:
Bug#314447; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to Willi Mann <willi@wm1.at>:
Extra info received and forwarded to list. Copy sent to Duncan Findlay <duncf@debian.org>. Full text and rfc822 format available.

Message #31 received at 314447@bugs.debian.org (full text, mbox):

From: Willi Mann <willi@wm1.at>
To: 314447@bugs.debian.org, paddy <paddy@panici.net>
Subject: Re: package somewhere available?
Date: Fri, 01 Jul 2005 13:52:38 +0200
> Willi,
> 
> Its already there, and (I'm fairly sure) was there before I posted the bug. 
> (I meant to check but I forgot!)  I think that the Sarge tag also means this.
> 
> # apt-cache showsrc spamassassin
> Package: spamassassin
> Binary: spamassassin, spamc
> Version: 3.0.4-2

No, it wasn't. 3.0.4-2 is in testing (etch), but not in sarge, because new 
upstream versions are a big no-no for stable. See

http://packages.qa.debian.org/s/spamassassin.html

I asked for the fixed package for stable, which would be some 3.0.3-x, 
because I don't want to install new upstream versions to fix security bugs, 
and I want to avoid version chaos.

BTW: This bug can be closed, as the new spamassassin 3.0.3-2 was released 
tonight. I won't close it as I'm not submitter, maintainer or member of the 
security team.

Willi



Information forwarded to debian-bugs-dist@lists.debian.org, Duncan Findlay <duncf@debian.org>:
Bug#314447; Package spamassassin. Full text and rfc822 format available.

Acknowledgement sent to paddy <paddy@panici.net>:
Extra info received and forwarded to list. Copy sent to Duncan Findlay <duncf@debian.org>. Full text and rfc822 format available.

Message #36 received at 314447@bugs.debian.org (full text, mbox):

From: paddy <paddy@panici.net>
To: 314447@bugs.debian.org, Willi Mann <willi@wm1.at>
Cc: 314447@bugs.debian.org
Subject: Re: package somewhere available?
Date: Fri, 1 Jul 2005 20:39:45 +0100
On Fri, Jul 01, 2005 at 01:52:38PM +0200, Willi Mann wrote:
> >Willi,
> >
> >Its already there, and (I'm fairly sure) was there before I posted the 
> >bug. (I meant to check but I forgot!)  I think that the Sarge tag also 
> >means this.
> >
> ># apt-cache showsrc spamassassin
> >Package: spamassassin
> >Binary: spamassassin, spamc
> >Version: 3.0.4-2
> 
> No, it wasn't. 3.0.4-2 is in testing (etch), 

sorry, I did realise that ...

> but not in sarge, because new 
> upstream versions are a big no-no for stable. 

Granted, my apologies.  I should really think before I hit send !

> See
> 
> http://packages.qa.debian.org/s/spamassassin.html
> 
> I asked for the fixed package for stable, which would be some 3.0.3-x, 
> because I don't want to install new upstream versions to fix security bugs, 
> and I want to avoid version chaos.

Again, apologies.  I misunderstood.

> BTW: This bug can be closed, as the new spamassassin 3.0.3-2 was released 
> tonight.

Kudos to all!

I see the DSA, but I don't see the files on s.d.o yet ...
... maybe I'm doing something wrong.

> I won't close it as I'm not submitter, maintainer or member of the 
> security team.

I think I'm the submitter, and closing a bug sounds rather fun,
but doesn't the release process do that automatically ? 

(besides I don't feel like I've done anything to earn the priviledge).

Regards,
Paddy
-- 
Perl 6 will give you the big knob. -- Larry Wall



Reply sent to Duncan Findlay <duncf@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paddy Smith <paddy@panici.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #41 received at 314447-done@bugs.debian.org (full text, mbox):

From: Duncan Findlay <duncf@debian.org>
To: 314447-done@bugs.debian.org
Cc: willi@wm1.at
Subject: Re: Bug#314447: package somewhere available?
Date: Fri, 1 Jul 2005 23:39:00 -0400
[Message part 1 (text/plain, inline)]
On Fri, Jul 01, 2005 at 08:39:45PM +0100, paddy wrote:
> On Fri, Jul 01, 2005 at 01:52:38PM +0200, Willi Mann wrote:
> > BTW: This bug can be closed, as the new spamassassin 3.0.3-2 was released 
> > tonight.
> 
> Kudos to all!
> 
> I see the DSA, but I don't see the files on s.d.o yet ...
> ... maybe I'm doing something wrong.

Looks fine to me.

> > I won't close it as I'm not submitter, maintainer or member of the 
> > security team.

Eek... feel free to close bugs that need to be closed! I don't usually
get around to it all that quickly. You don't need to be one of the
above, you just need to be right!

> I think I'm the submitter, and closing a bug sounds rather fun,
> but doesn't the release process do that automatically ? 

The bug would be closed automatically if the changelog included a
(Closes: #nnnnnn) tag, but I sent in the fix before this bug was
opened, so it was not.

> (besides I don't feel like I've done anything to earn the priviledge).

It's not a privilege, its a nuisance. :-)

-- 
Duncan Findlay
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 06:03:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:46:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.