-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2021-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano March 22, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : spamass-milter Vulnerability : missing input sanitization Problem-Type : remote Debian-specific: no CVE Id(s) : none assigned yet Debian Bug : 573228 It was discovered a missing input sanitization in spamass-milter, a milter used to filter mail through spamassassin. This allows a remote attacker to inject and execute arbitrary shell commands. For the stable distribution (lenny), this problem has been fixed in version 0.3.1-8+lenny1. For the testing (squeeze) and unstable (sid) distribution this problem has been fixed in version 0.3.1-9. We recommend that you upgrade your spamass-milter package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1.orig.tar.gz Size/MD5 checksum: 141144 ca6bf6a9c88db74a6bfea41f499c0ba6 http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1.dsc Size/MD5 checksum: 1050 bb733b6a573d78be8a64002dbc592d44 http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1.diff.gz Size/MD5 checksum: 35298 c67ac575ec83da156f19d90a21c400e2 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_alpha.deb Size/MD5 checksum: 54606 a623cc750ad2dbeabb4ec9cc238bc40b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_amd64.deb Size/MD5 checksum: 52752 8f67c0d4ebeb820a0a80b7c8a20a1761 arm architecture (ARM) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_arm.deb Size/MD5 checksum: 51254 87c4345b656711abf391b2c1620f0fa7 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_armel.deb Size/MD5 checksum: 47902 98855e92d23f6f2665f000a88a163dba hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_hppa.deb Size/MD5 checksum: 55546 6c97177505594b5389fdfe30cd293d80 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_i386.deb Size/MD5 checksum: 50980 109a06776578187d95ae70c3734e6b6d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_ia64.deb Size/MD5 checksum: 59414 c816e86e810a4d611636bfec6a9df1cc mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_mipsel.deb Size/MD5 checksum: 51306 7204015ca8e050ccf6ea81626e215dbf powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_powerpc.deb Size/MD5 checksum: 55604 039127c2ba41f85b8c5a9c2c0889014b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_s390.deb Size/MD5 checksum: 51450 f324ff3a60af459f5d15b8efc9e6e891 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_sparc.deb Size/MD5 checksum: 50052 1ca672e1eeb9a58376c09c61d4f00977 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkunThoACgkQNxpp46476apx4gCfV3CGgKbrNHIpZs7Ib4xv2oQ+ gZEAn1YK6idR0gLFhoVWgrk9Qh61JqFL =Jq7u -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/