spamassassin-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Quinlan <quin...@pathname.com>
Subject Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3
Date Wed, 15 Jun 2005 20:00:46 GMT
Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3.  The
vulnerability allows certain misformatted long message headers to cause
spam checking to take a very long time.

While the exploit has yet to be seen in the wild, we are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.0.4 as soon as possible.

This issue has been assigned CVE id CAN-2005-1266 [1].

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org.  For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[0]: http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200506.mbox/%3c20050606223631.GG11538@kluge.net%3e

[1]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@spamassassin.apache.org
For additional commands, e-mail: announce-help@spamassassin.apache.org


Mime
View raw message