Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Spamassassin - upgrade SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spamassassin - upgrade
Before you write us: nope, this is unlikely to be related to the "spam spam spam" article I wrote earlier.

Spamassassin has 2 new releases out. They fix vulnerabilities that -given specific command line options- opens up spamassassin to remote command execution as the user spamassassin is running as.

Solution: upgrade to version 3.06 or 3.1.3 as soon as possible or do not use the vulnerable command line combination (aparently both "--vpopmail" and "-P" (paranoid) need to be turned on) as a workaround.

Thanks to fellow handlers Jim and Patrick.

If you do take the time to upgrade, I'd suggest to make sure you run it as a user that has hardly any rights  and/or chroot it.

Swa Frantzen - Section 66


760 Posts
Jun 6th 2006

Sign Up for Free or Log In to start participating in the conversation!