| VID |
23170 |
| Severity |
40 |
| Port |
783 |
| Protocol |
TCP |
| Class |
Daemon |
| Detailed Description |
The SpamAssassin is vulnerable to a command execution vulnerability which exists in versions prior to 3.0.6 or 3.1.3. SpamAssassin is a widely-deployed open source project that serves as a mail filter to identify Spam mail. SpamAssassin versions 3.0.x prior to 3.0.6 or 3.1.x prior to 3.1.3 are vulnerable to arbitrary command execution vulnerability. If spamd of SpamAssassin is executed with the --vpopmail (-v) and --paranoid (-P) switches, a remote attacker could exploit this vulnerability to execute arbitrary commands with the privileges of "spamd" by sending a specially-crafted email to an affected application.
* References:
http://www.frsirt.com/english/advisories/2006/2148
http://rhn.redhat.com/errata/RHSA-2006-0543.html
http://www.nabble.com/forum/ViewPost.jtp?post=4717543
http://www.nabble.com/forum/ViewPost.jtp?post=4717572
http://secunia.com/advisories/20430
* Platforms Affected:
SpamAssassin versions prior to 3.0.6
SpamAssassin versions prior to 3.1.3
Red Hat Desktop Ver.4
Red Hat Enterprise Linux AS Ver.4
Red Hat Enterprise Linux ES Ver.4
Red Hat Enterprise Linux WS Ver.4 |
| Recommendation |
Upgrade to the latest version of SpamAssassin (3.0.6 or 3.1.3 or later), available from the Apache SpamAssassin Project Download Web page at http://spamassassin.apache.org/downloads.cgi?update=200606050750 |
| Related URL |
CVE-2006-2447 (CVE) |
| Related URL |
18290 (SecurityFocus) |
| Related URL |
27008 (ISS) |
|
