__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                          SpamAssassin Security Update
                              [RHSA-2006:0543-10]

June 6, 2006 20:00 GMT                                            Number Q-217
______________________________________________________________________________
PROBLEM:       A vulnerability has been discoverd in SpamAssassin that can 
               allow remote attackers to execute arbitrary commands. 
PLATFORM:      Red Hat Desktop (v. 4) 
               Red Hat Enterprise Linux AS (v. 4) 
               Red Hat Enterprise Linux ES (v. 4) 
               Red Hat Enterprise Linux WS (v. 4) 
               Debian GNU/Linux 3.1 (sarge) 
DAMAGE:        A flaw was found with the way the Spamassassin spamd daemon 
               processes the virtual pop username passed to it. If a site is 
               running spamd with both the --vpopmail and --paranoid flags, it 
               is possible for a remote user with the ability to connect to 
               the spamd daemon to execute arbitrary commands as the user 
               running the spamd daemon. 
SOLUTION:      Apply current patches. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. A remote attacker can execute arbitrary 
ASSESSMENT:    commands. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/q-217.shtml 
 ORIGINAL BULLETIN:  https://rhn.redhat.com/errata/RHSA-2006-0543.html
 ADDITIONAL LINKS:   Debian Security Advisory 1090-1
                     http://www.debian.org/security/2006/dsa-1090
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447
______________________________________________________________________________
[***** Start RHSA-2006:0543-10 *****]

Moderate: spamassassin security update
Advisory: 	RHSA-2006:0543-10
Type: 	Security Advisory
Issued on: 	2006-06-06
Last updated on: 	2006-06-06
Affected Products: 	Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): 	CVE-2006-2447

Details

Updated spamassassin packages that fix an arbitrary code execution flaw
are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

SpamAssassin provides a way to reduce unsolicited commercial email (SPAM)
from incoming email.

A flaw was found with the way the Spamassassin spamd daemon processes the
virtual pop username passed to it. If a site is running spamd with both the
--vpopmail and --paranoid flags, it is possible for a remote user with the
ability to connect to the spamd daemon to execute arbitrary commands as
the user running the spamd daemon. (CVE-2006-2447)

Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux
4 support vpopmail delivery. Running spamd with the --vpopmail and
--paranoid flags is uncommon and not the default startup option as shipped
with Red Hat Enterprise Linux 4.

Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL
lookups against visi.com to help determine if an email is spam. However,
this DNS RBL has recently disappeared, resulting in mail filtering delays
and timeouts.

Users of SpamAssassin should upgrade to these updated packages containing
version 3.0.6 and backported patches, which are not vulnerable to these issues.

Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages
Red Hat Desktop (v. 4)
SRPMS:
spamassassin-3.0.6-1.el4.src.rpm 	    1cf6fab6ed57f94851a8c87ada04f523
 
IA-32:
spamassassin-3.0.6-1.el4.i386.rpm 	    0978c0b3e20da3fac966c71d13667bea
 
x86_64:
spamassassin-3.0.6-1.el4.x86_64.rpm 	    0e723a4ff9037961094be458f0da16e3
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
spamassassin-3.0.6-1.el4.src.rpm 	    1cf6fab6ed57f94851a8c87ada04f523
 
IA-32:
spamassassin-3.0.6-1.el4.i386.rpm 	    0978c0b3e20da3fac966c71d13667bea
 
IA-64:
spamassassin-3.0.6-1.el4.ia64.rpm 	    8e16f3dea0718f28a779ab7265a5bee1
 
PPC:
spamassassin-3.0.6-1.el4.ppc.rpm 	    1777390bb8c1371d85b5f18ebbf3f50a
 
s390:
spamassassin-3.0.6-1.el4.s390.rpm 	    19525de01fac4f0d7bb66ea5f5abd955
 
s390x:
spamassassin-3.0.6-1.el4.s390x.rpm 	    6c35a656281f5d4d5fe856987dfe686b
 
x86_64:
spamassassin-3.0.6-1.el4.x86_64.rpm 	    0e723a4ff9037961094be458f0da16e3
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
spamassassin-3.0.6-1.el4.src.rpm 	    1cf6fab6ed57f94851a8c87ada04f523
 
IA-32:
spamassassin-3.0.6-1.el4.i386.rpm 	    0978c0b3e20da3fac966c71d13667bea
 
IA-64:
spamassassin-3.0.6-1.el4.ia64.rpm 	    8e16f3dea0718f28a779ab7265a5bee1
 
x86_64:
spamassassin-3.0.6-1.el4.x86_64.rpm 	    0e723a4ff9037961094be458f0da16e3
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
spamassassin-3.0.6-1.el4.src.rpm 	    1cf6fab6ed57f94851a8c87ada04f523
 
IA-32:
spamassassin-3.0.6-1.el4.i386.rpm 	    0978c0b3e20da3fac966c71d13667bea
 
IA-64:
spamassassin-3.0.6-1.el4.ia64.rpm 	    8e16f3dea0718f28a779ab7265a5bee1
 
x86_64:
spamassassin-3.0.6-1.el4.x86_64.rpm 	    0e723a4ff9037961094be458f0da16e3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

178580 - /etc/sysconfig/spamassasin loses file context and timestamp
191033 - spamassassin looks up broken NS domain (visi.com)
193865 - CVE-2006-2447 spamassassin arbitrary command execution

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on 
how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at 
http://www.redhat.com/security/team/contact/

[***** End RHSA-2006:0543-10 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Red Hat for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

Q-207: postgresql Update
Q-208: php Update
Q-209: Windows VPN Client
Q-210: RealVNC Authentication Bypass
Q-211: libextractor
Q-212: HP-UX Mozilla Vulnerability
Q-213: The Hidden Dangers of Windows HTML Help (.chm) Files
Q-214: Mozilla Vulnerabilities
Q-215: Vulnerability Found In "lsmcode" Command
Q-216: Security Vulnerability With Sun StorADE Version 2.4 Installation