/etc/conf.d/spamd: SPAMD_OPTS="-i -m 5 -c -H" spamd should only listen on localhost by default: SPAMD_OPTS="-m 5 -c -H" Reproducible: Always Steps to Reproduce: 1. 2. 3.
He's right. The latest config--which I hadn't merged yet--specifies -i. Anyone? Beuller? Anyone?
This isn't a security bug.
Kurt: it's not a vulnerability, but I would agree it's a default config that can be tightened, so it's a "Default config" security bug. Perl team : please comment on the configuration chnage
That option was added by me to the sample config file; I wasn't sure if I wanted to keep it but then forgot to re-evaluate the flag before I submitted the new ebuild. The background: With -i spamd does indeed listen on all interfaces. But it won't accept any connections from there. You have to allow clients by adding a additional -A switches. I added the switch because even me as a dev was confused when I tried to access a spamd from two different servers, added the -As and nothing worked nevertheless ;~) Normally this wouldn't have any security issues though I don't know how this plays together with bug 64133. Feel free to remove that switch.
I suppose that the bug 64133 vulnerability (DoS by timeout) requires accepted connections, and what you say tend to prove that spamd won't accept them unless you have the corresponding -A flag. Krispy (or someone else with a spamd setup): could you test if you can still attack remotely using the PoC on bug 64133 with a setup that listens to all interfaces but just accepts from localhost.
The default configuration allows to DoS from remote. In order to fix that, we need to get back to the old config: SPAMD_OPTS="-m 5 -c -H"
So this config change does not play nice with bug 64133. Perl team, please fix default configuration as it is now vulnerable by default.
conf changed
Michael: revbumping at least the 3.0.2 and the 2.64 version so that people upgrading can merge the fix would be a good idea.
Sorry for the delay, bump in progress (soon as my cvs connection resolves itself)
ok, commited, though after signing the manifest i realized there was no reason to bump 2.64 - it was the conf for 3.x that was the bug. So any SA 2.64 users out there who stumble on this bug - sorry about that folks
Bug fixed, thanks Michael.