A vulnerability has been reported in Amavis, which can potentially be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to Amavis potentially invoking an insecure version of zoo or unzoo. This can be exploited to cause an infinite loop resulting in high CPU utilisation. Solution: The vendor recommends disabling the use of zoo or unzoo, or using a patched version of zoo. Provided and/or discovered by: The vendor credits Jean-Sebastien Guay-Leroux. Original Advisory: http://www.amavis.org/security/asa-2007-2.txt Reproducible: Always
maintainers - please advice
I suggest patching app-arch/zoo with patch found in section VII here: <http://www.securityfocus.com/archive/1/archive/1/467646/100/0/threaded>. We can then make amavisd-new depend on patched version of zoo, after stabilizing it for arches. This would be more bearable than to wait for amavisd-new-2.5.1 and then stabilize it - 2.5.x brings some new stuff and config file changes which are not yet so well tested as 2.4.x.
Not an amavisd-new issue. Unfortunately zoo is without a maintainer. Ticho, could you patch it?
Created attachment 119979 [details] Patchfile this is the patch as diff-file
Ticho ping.
Created attachment 120137 [details, diff] modified patch i modified the patch to let it patch cleanly.
Created attachment 120138 [details] ebuild an ebuild which uses my modified patch
Created attachment 120139 [details, diff] fixed patch now the finaly one (uploaded the wrong one first) - sorry for that
Sorry guys. I was, uhh... distracted, from all technology for past few days. zoo-2.10-r3 is in the tree now.
arches, please test and stable zoo-2.10-r3. thanks
x86/amd64 stable
sparc stable.
ppc64 stable
alpha stable
ppc stable
This one is ready for GLSA decision. I tend to vote YES.
I tend to vote NO.
no and closing, feel free to reopen if you disagree
