SpamAssassin Release version 3.1.8

Published: 2007-02-16
Last Updated: 2007-02-16 19:44:47 UTC
by Joel Esler (Version: 3)
0 comment(s)
Looks like a new version of SpamAssassin (SA) came out yesterday, version 3.1.8.  Take a look at the advisory here

This looks like a maintenance AND security release.  It patches CVE-2007-0451, a "possible DoS due to incredibly long URIs found in the message content".  According to fellow handler, Bojan, SA can be made to suck up large amounts of memory and CPU processing an e-mail message with the appropriate URL in the body.  Also, note that versions 3.1-3.1.7 are thought to be vulnerable, it is unclear whether earlier versions are also affected,.  The upcoming 3.2 release will also contain the fix.

Time to patch!

Joel Esler
http://handlers.sans.org/jesler
Keywords:
0 comment(s)
Diary Archives