[Mimedefang] [OT] SpamAssassin 3.1.3 released - security updates
Chris Myers
chris at by-design.net
Tue Jun 6 14:35:29 EDT 2006
*ANNOUNCE: Apache SpamAssassin 3.1.3 available!
*Apache SpamAssassin 3.1.3 is now available! This is a maintenance
release of the 3.1.x branch.
Downloads are available from:
http://spamassassin.apache.org/downloads.cgi?update=200606050750
The release file will also be available via CPAN in the near future.
md5sum of archive files:
5f049f0b9fc63585a85593a3c68409bb Mail-SpamAssassin-3.1.3.tar.bz2
32ad78f3cdaddb02cdf0f55572604d07 Mail-SpamAssassin-3.1.3.tar.gz
6cb6fc27c4466091b2bc4e04af8c39bf Mail-SpamAssassin-3.1.3.zip
sha1sum of archive files:
e1f4489ec8805985e0ca79765bde586bf0286725 Mail-SpamAssassin-3.1.3.tar.bz2
ed9e18fae6db86d0b77ce48d8262194e06df9ef8 Mail-SpamAssassin-3.1.3.tar.gz
090dfd3eaa0481789fbf94f67bcf9c2dd6387959 Mail-SpamAssassin-3.1.3.zip
The release files also have a .asc accompanying them. The file serves
as an external GPG signature for the given release file. The signing
key is available via the wwwkeys.pgp.net key server, as well as
http://spamassassin.apache.org/released/GPG-SIGNING-KEY
The key information is:
pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key <release at ...
<http://www.nabble.com/user/SendEmail.jtp?type=post&post=4717543&i=0>>
Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B
3.1.3 fixes a remote code execution vulnerability if spamd is run with the
"--vpopmail" and "-P" options. If either/both of those options are not
used, there is no vulnerability. There was also a fix for the userstate
directory and prefs file not being created.
Changelog:
- bug 4926: given a certain set of parameters to spamd and a specially
formatted input message, users could cause spamd to execute arbitrary
commands as the spamd user
- bug 4932: the userstate dir and userprefs file would not be created
under certain conditions.
More information about the MIMEDefang
mailing list