Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Spamassassin - upgrade InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Spamassassin - upgrade

Published: 2006-06-06
Last Updated: 2006-06-06 20:44:07 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Before you write us: nope, this is unlikely to be related to the "spam spam spam" article I wrote earlier.

Spamassassin has 2 new releases out. They fix vulnerabilities that -given specific command line options- opens up spamassassin to remote command execution as the user spamassassin is running as.

Solution: upgrade to version 3.06 or 3.1.3 as soon as possible or do not use the vulnerable command line combination (aparently both "--vpopmail" and "-P" (paranoid) need to be turned on) as a workaround.

Thanks to fellow handlers Jim and Patrick.

If you do take the time to upgrade, I'd suggest to make sure you run it as a user that has hardly any rights  and/or chroot it.

Swa Frantzen - Section 66

0 comment(s)
Diary Archives