=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN418
_____________________________________________________________________

DATE                      : 29/06/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running spamassassin.

======================================================================

  _______________________________________________________________________

                 Mandriva Linux Security Update Advisory
  _______________________________________________________________________

  Package name:           spamassassin
  Advisory ID:            MDKSA-2005:106
  Date:                   June 28th, 2005

  Affected versions:	 10.1, 10.2
  ______________________________________________________________________

  Problem Description:

  A Denial of Service bug was discovered in SpamAssassin.  An attacker
  could construct a particular message that would cause SpamAssassin to
  consume CPU resources.  If a large number of these messages were sent,
  it could lead to a DoS.  SpamAssassin 3.0.4 was released to correct
  this vulnerability, as well as other minor bug fixes, and is provided
  with this update.

  For full details on the changes from previous versions of SpamAssassin
  to this current version, please refer to the online documentation at
  http://wiki.apache.org/spamassassin/NextRelease.
  _______________________________________________________________________

  References:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266
  ______________________________________________________________________

  Updated Packages:

  Mandrakelinux 10.1:
  70c3144fdfc90df050e058e788724af2  10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.101mdk.i586.rpm
  a812132eaa7d2f5037b9d813a0ddb2d4  10.1/RPMS/spamassassin-3.0.4-0.1.101mdk.i586.rpm
  34ac7694b8a0d4757dc1e9514cb89abe  10.1/RPMS/spamassassin-spamc-3.0.4-0.1.101mdk.i586.rpm
  4771bb089113c7fcfe8fc76705c9a1d6  10.1/RPMS/spamassassin-spamd-3.0.4-0.1.101mdk.i586.rpm
  3dc5eb25ed5fbaf97126987fa6fef2a0  10.1/RPMS/spamassassin-tools-3.0.4-0.1.101mdk.i586.rpm
  5f5e0a9d95abf8a8c914b453a200622f  10.1/SRPMS/spamassassin-3.0.4-0.1.101mdk.src.rpm

  Mandrakelinux 10.1/X86_64:
  907ae240ba0c1383ffac92b6e44bf9b8  x86_64/10.1/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.101mdk.x86_64.rpm
  e4c381dce8549f1dcc0e193492344633  x86_64/10.1/RPMS/spamassassin-3.0.4-0.1.101mdk.x86_64.rpm
  e519886d73606721c7d039a781e48bf8  x86_64/10.1/RPMS/spamassassin-spamc-3.0.4-0.1.101mdk.x86_64.rpm
  cc9047d8bfc0f7dca47a8d20a4acdaba  x86_64/10.1/RPMS/spamassassin-spamd-3.0.4-0.1.101mdk.x86_64.rpm
  30a1796d9714c2f97fe18543611861ee  x86_64/10.1/RPMS/spamassassin-tools-3.0.4-0.1.101mdk.x86_64.rpm
  5f5e0a9d95abf8a8c914b453a200622f  x86_64/10.1/SRPMS/spamassassin-3.0.4-0.1.101mdk.src.rpm

  Mandrakelinux 10.2:
  968684a2cb5837f7b5c807e7cb84ac27  10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.102mdk.i586.rpm
  b674284aeb77b560fcabea2e5cb3ea76  10.2/RPMS/spamassassin-3.0.4-0.1.102mdk.i586.rpm
  5fe7625fbea7970929efb0d34910d6e8  10.2/RPMS/spamassassin-spamc-3.0.4-0.1.102mdk.i586.rpm
  ca728cf0e5e798758c0e3c1a89e52996  10.2/RPMS/spamassassin-spamd-3.0.4-0.1.102mdk.i586.rpm
  94b9919c9afba79815ddf391f18ae9e7  10.2/RPMS/spamassassin-tools-3.0.4-0.1.102mdk.i586.rpm
  c0f1a6eda5f0e91c5630e81f2ec4a04c  10.2/SRPMS/spamassassin-3.0.4-0.1.102mdk.src.rpm

  Mandrakelinux 10.2/X86_64:
  e58fbab242a1dbfc66b9a038c9ad31ef  x86_64/10.2/RPMS/perl-Mail-SpamAssassin-3.0.4-0.1.102mdk.x86_64.rpm
  f52acfcca9d854c597462ef96cd0d60e  x86_64/10.2/RPMS/spamassassin-3.0.4-0.1.102mdk.x86_64.rpm
  434c6842488b18e288ed44e77ae83e9a  x86_64/10.2/RPMS/spamassassin-spamc-3.0.4-0.1.102mdk.x86_64.rpm
  3e6d8eecb483210d5a7504da27d7c109  x86_64/10.2/RPMS/spamassassin-spamd-3.0.4-0.1.102mdk.x86_64.rpm
  14af3895888adfcffd1ea48feeee38b8  x86_64/10.2/RPMS/spamassassin-tools-3.0.4-0.1.102mdk.x86_64.rpm
  c0f1a6eda5f0e91c5630e81f2ec4a04c  x86_64/10.2/SRPMS/spamassassin-3.0.4-0.1.102mdk.src.rpm
  _______________________________________________________________________

  To upgrade automatically use MandrakeUpdate or urpmi.  The verification
  of md5 checksums and GPG signatures is performed automatically for you.

  All packages are signed by Mandriva for security.  You can obtain the
  GPG public key of the Mandriva Security Team by executing:

   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

  You can view other update advisories for Mandriva Linux at:

   http://www.mandriva.com/security/advisories

  If you want to report vulnerabilities, please contact

   security_(at)_mandriva.com
  _______________________________________________________________________

  Type Bits/KeyID     Date       User ID
  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
   <security*mandriva.com>

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================