Issued:: 2005-06-23
Updated:: 2005-06-23

RHSA-2005:498 - Security Advisory

Overview
Updated Packages

Synopsis

spamassassin security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated spamassassin package that fixes a denial of service bug when
parsing malformed messages is now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

SpamAssassin provides a way to reduce unsolicited commercial email (SPAM)
from incoming email.

A denial of service bug has been found in SpamAssassin. An attacker could
construct a message in such a way that would cause SpamAssassin to consume
CPU resources. If a number of these messages were sent it could lead to a
denial of service, potentially preventing the delivery or filtering of
email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-1266 to this issue.

SpamAssassin version 3.0.4 additionally solves a number of bugs including:

#156390 Spamassassin consumes too much memory during learning
#155423 URI blacklist spam bypass
#147464 Users may now disable subject rewriting
Smarter default Bayes scores
Numerous other bug fixes that improve spam filter accuracy and safety

For full details, please refer to the change details of 3.0.2, 3.0.3, and
3.0.4 in SpamAssassin's online documentation at the following address:
http://wiki.apache.org/spamassassin/NextRelease

Users of SpamAssassin should update to this updated package, containing
version 3.0.4 which is not vulnerable to this issue and resolves these bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

Red Hat Enterprise Linux Server 4 x86_64
Red Hat Enterprise Linux Server 4 ia64
Red Hat Enterprise Linux Server 4 i386
Red Hat Enterprise Linux Workstation 4 x86_64
Red Hat Enterprise Linux Workstation 4 ia64
Red Hat Enterprise Linux Workstation 4 i386
Red Hat Enterprise Linux Desktop 4 x86_64
Red Hat Enterprise Linux Desktop 4 i386
Red Hat Enterprise Linux for IBM z Systems 4 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390
Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

BZ - 147464 - spamassassin no longer allows disabling subject rewriting
BZ - 151433 - spamd generate child processes which occupies all memory
BZ - 159198 - CAN-2005-1266 spamassassin DoS

CVEs

CVE-2005-1266

References

(none)

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 4

SRPM
spamassassin-3.0.4-1.el4.src.rpm	SHA-256: e6e40cf9c4c6be3282bf220822aed20c86ff3d4633cd1fe77495a25cca67edca
x86_64
spamassassin-3.0.4-1.el4.x86_64.rpm	SHA-256: d3db35d140f555baedf6470fe7b3147eb84e38695fc55d32aab073db90981a31
spamassassin-3.0.4-1.el4.x86_64.rpm	SHA-256: d3db35d140f555baedf6470fe7b3147eb84e38695fc55d32aab073db90981a31
ia64
spamassassin-3.0.4-1.el4.ia64.rpm	SHA-256: 1b55abe6304bae77c1d0bee3c0dcde6d173a5f033e7e18a82636f93e1e32b933
spamassassin-3.0.4-1.el4.ia64.rpm	SHA-256: 1b55abe6304bae77c1d0bee3c0dcde6d173a5f033e7e18a82636f93e1e32b933
i386
spamassassin-3.0.4-1.el4.i386.rpm	SHA-256: 7ba1ab10547b9948d764707bbd4d9e30ffbbd55440d4feef499e10f45732450e
spamassassin-3.0.4-1.el4.i386.rpm	SHA-256: 7ba1ab10547b9948d764707bbd4d9e30ffbbd55440d4feef499e10f45732450e

Red Hat Enterprise Linux Workstation 4

SRPM
spamassassin-3.0.4-1.el4.src.rpm	SHA-256: e6e40cf9c4c6be3282bf220822aed20c86ff3d4633cd1fe77495a25cca67edca
x86_64
spamassassin-3.0.4-1.el4.x86_64.rpm	SHA-256: d3db35d140f555baedf6470fe7b3147eb84e38695fc55d32aab073db90981a31
ia64
spamassassin-3.0.4-1.el4.ia64.rpm	SHA-256: 1b55abe6304bae77c1d0bee3c0dcde6d173a5f033e7e18a82636f93e1e32b933
i386
spamassassin-3.0.4-1.el4.i386.rpm	SHA-256: 7ba1ab10547b9948d764707bbd4d9e30ffbbd55440d4feef499e10f45732450e

Red Hat Enterprise Linux Desktop 4

SRPM
spamassassin-3.0.4-1.el4.src.rpm	SHA-256: e6e40cf9c4c6be3282bf220822aed20c86ff3d4633cd1fe77495a25cca67edca
x86_64
spamassassin-3.0.4-1.el4.x86_64.rpm	SHA-256: d3db35d140f555baedf6470fe7b3147eb84e38695fc55d32aab073db90981a31
i386
spamassassin-3.0.4-1.el4.i386.rpm	SHA-256: 7ba1ab10547b9948d764707bbd4d9e30ffbbd55440d4feef499e10f45732450e

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
spamassassin-3.0.4-1.el4.src.rpm	SHA-256: e6e40cf9c4c6be3282bf220822aed20c86ff3d4633cd1fe77495a25cca67edca
s390x
spamassassin-3.0.4-1.el4.s390x.rpm	SHA-256: 0ab929cb051c27b277c602c1178117560516896c46c35e0480c510834cf90d97
s390
spamassassin-3.0.4-1.el4.s390.rpm	SHA-256: 71c06f1ec914c84f0bfb300418601bf25e2efeb6b31c9ef0cd717bc736e5a861

Red Hat Enterprise Linux for Power, big endian 4

SRPM
spamassassin-3.0.4-1.el4.src.rpm	SHA-256: e6e40cf9c4c6be3282bf220822aed20c86ff3d4633cd1fe77495a25cca67edca
ppc
spamassassin-3.0.4-1.el4.ppc.rpm	SHA-256: a6f7d4994b0ba17e197ed613452ebbc0620b994a73edd5c0e224e6a76b5192c1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation