Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 59483

Summary: mail-filter/spamassassin-2.64: new ebuild with security fix
Product: Gentoo Security Reporter: Malte S. Stretz <gentoo-bugger>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: net-mail+disabled, perl, x86
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [stable+ x86]
Package list:
Runtime testing required: ---
Description Flags
spamassassin-2.64.ebuild none

Description Malte S. Stretz 2004-08-04 21:10:08 UTC
Today we released v2.64 which contains an important security fix to prevent a DoS attack against system running SpamAssassin.

The announcement (can't link as it hasn't reached the archives yet):

> Subject: SpamAssassin 2.64 is released!

SpamAssassin is a mail filter which uses advanced statistical
and heuristic tests to identify spam (also known as unsolicited
commercial/bulk email).


Pick it up from:

md5sum of archive files:
a82a9dab95462d102e253edb99091fdd  Mail-SpamAssassin-2.64.tar.gz
cd482160ddbe371bbf4fb58b715ebbdf  Mail-SpamAssassin-2.64.tar.bz2
sha1sum of archive files:
7d5776a7c462c849bc48f12a48ed82dc929ac06f  Mail-SpamAssassin-2.64.tar.gz
ea4925c6967249a581c4966d1cefd1a3162eb639  Mail-SpamAssassin-2.64.tar.bz2

Or on CPAN shortly, once the mirrors update.

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the keyserver, as well as

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key <>
    Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B

Summary of major changes since 2.63

  - Security fix prevents a denial of service attack open to certain
    malformed messages.
  - Backported several very reliable rules from the SpamAssassin 3.0.0
Comment 1 Malte S. Stretz 2004-08-04 21:10:47 UTC
Created attachment 36794 [details]

The ebuild; bumping isn't enough as the SRC_URI has changed.
Comment 2 Robert Coie (RETIRED) gentoo-dev 2004-08-04 23:15:12 UTC
In CVS, thanks.  Had to add a little change to make the tests not get run twice
in some circumstances.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 00:31:58 UTC
Reopening so that we can issue GLSA about it
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 00:35:37 UTC
Arches: please test and mark spamassassin 2.64 stable
Comment 5 Josh Grebe (RETIRED) gentoo-dev 2004-08-05 08:34:41 UTC
Tested and marked for sparc
Comment 6 Tom Martin (RETIRED) gentoo-dev 2004-08-05 12:00:04 UTC
Stable on amd64.
Comment 7 Aron Griffis (RETIRED) gentoo-dev 2004-08-06 20:01:58 UTC
alpha and ia64 done
Comment 8 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-07 11:54:59 UTC
tested and stable on ppc 
Comment 9 SpanKY gentoo-dev 2004-08-07 22:28:08 UTC
hppa stable
Comment 10 Chris White (RETIRED) gentoo-dev 2004-08-07 23:19:31 UTC
Removing ppc cc as it is stable marked.  ppc64 still needs stable marking
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-08-08 02:50:50 UTC
We also need x86 stable before the GLSA can go out.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-09 12:51:36 UTC
GLSA 200408-06

ppc64 please mark stable to benifit from the GLSA
Comment 13 Tom Gall (RETIRED) gentoo-dev 2004-09-25 22:29:32 UTC
stable on ppc64
Comment 14 Tom Gall (RETIRED) gentoo-dev 2004-09-25 22:35:31 UTC
removing ppc64