Re: [suse-security-announce] SUSE Security Announcement: spamassassin remote denial of service (SUSE-SA:2005:033)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2005-06-22 at 17:05 +0200, Marcus Meissner wrote:
Problem Description and Brief Discussion
The anti spam tool SpamAssassin was prone to a denial-of-service attack. A remote attacker could craft a MIME E-Mail message that would waste a lot of CPU cycles parsing the Content-Type header.
This is tracked by the Mitre CVE ID CAN-2005-1266.
Only SUSE Linux 9.2 and 9.3 are affected, since they include the 3.x version of spamassassin. Older versions are not affected.
I noticed that you have upgraded to 3.0.4, and thus save me that work of manually upgrade. Thanks. But the scoring of this release (and 3.0.3 as well) is wrong: score BAYES_60 0 0 3.515 1.0 score BAYES_80 0 0 3.608 2.0 <---- score BAYES_95 0 0 3.514 3.0 score BAYES_99 0 0 4.070 3.5 Notice that the score for 80% is bigger than for 95%, for Bayes and no network tests, ie, 3.608 > 3.514 I noticed this because I manually edit bayes_99 to be 4.99 - but can I trust there is no other error in the scoring? I suggest that somebody with influence (ie, from SuSE) suggests the developers to add some automatic tests that impede this kind of congruences creeping in. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCupMqtTMYHG2NR9URAgGyAJ0bLG0okVs/lE8iEKWYiA+b8CVnjACeJQQQ GF439GHuAV7jGcf3j+T3U0k= =xN0k -----END PGP SIGNATURE-----
participants (2)
-
Arjen de Korte
-
Carlos E. R.