This update includes a fix for a problem where if the milter is running using the "-x" option to expand aliases before passing inbound mail through SpamAssassin, a malicious client using a carefully-crafted SMTP session could execute arbitrary code on the mail server. The fix avoids the use of a shell in the alias expansion and hence there is no longer a problem with having to sanitize input from the client.

This problem has been assigned CVE-2010-1132, which is tracked upstream at https://savannah.nongnu.org/bugs/?29136

The update also contains improved Received-header-generation for message submission and a fix for a problem where the milter would erroneously log warnings about the mail server's configuration when the first message from a non-authenticated client passed through. As part of the fix for this issue, the required milter macro configuration for the mail server has changed slightly: see the README file included in the package for details.

This update has been pushed to testing

11 years ago

This update has been submitted for testing.

This update has been pushed to testing

11 years ago

This update has been submitted for testing.

This update has been pushed to testing

11 years ago

This update has been submitted for stable.

This update has been pushed to stable

11 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
11 years ago
in testing
11 years ago
in stable
11 years ago
modified
11 years ago
BZ#532266 Could not retrieve sendmail macro "auth_ssf"!
0
0
BZ#572117 SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation)
0
0
BZ#572119 SpamAssassin Mail Filter: Arbitrary shell command injection (privilege escalation) [Fedora all]
0
0

Automated Test Results