Apache SpamAssassin Security Issue

[jrehmer]

I noticed that on my server 10.8.2-STABLE_120 that I am running SpamAssassin 3.1.2 which is considered vulnerable according to a new CVE released. I am referencing Common Vulnerabilities and Exposures: CVE-2006-2447.

Is there a plan to upgrade this component?

 

[ramprage]

Consider moving up to the RELEASE build for more current updates. SpamAssassin has a newer version here.

 

[jrehmer]

Consider moving up to the RELEASE build for more current updates. SpamAssassin has a newer version here.

The release build is older than the stable build...so I don't see how it would include a newer version of spamassassin.

 

[NightStorm]

... Ehh?

EDGE
Edge is the bleeding edge tree. While it has the newest features; It has undergone the least amount of testing (if any). You generally shouldn't run this build unless you need a bug fix or feature in it. Once an equivalent CURRENT or RELEASE build has been released, you should switch away from this.

CURRENT
Current builds are more mature than the EDGE builds since they have been tested in a production environment.

RELEASE
Release builds are the prefered builds to run. They are generally current enough to have the latest bugfixes and new features, but without the worry of new bugs being introduced.

STABLE Stable builds are for the consverative people who do not wish to run the latest release.

Stable would be the oldest build of the list. And in this case, until last week, the last update for STABLE was in January, whereas RELEASE had been receiving an update nearly every day for the past 2 weeks.

 

[boeki]

STABLE
10.8.2-STABLE_120
(Sat May 27 14:20:24 2006)

RELEASE
10.8.2-RELEASE_119
(Sat May 27 14:08:05 2006)

... Ehh?

 

[jrehmer]

STABLE
10.8.2-STABLE_120
(Sat May 27 14:20:24 2006)

RELEASE
10.8.2-RELEASE_119
(Sat May 27 14:08:05 2006)

... Ehh?

See, I am right...it makes Stable "newer" than Release...

 

[NightStorm]

So no one actually reads what the description of each build is?
Run a search on the forum... this has been discussed to GREAT extent in the past.
You start at Bleeding EDGE. This is the release that has the newest features, and likely the newest bugs.
Those features, when decided to be through the initial bugcheck phase, filter down into the next release of CURRENT. Still not quite clean enough, you may expereince whatever bugs were not caught by EDGE users (since there are more people willing to use a CURRENT build than EDGE, which is essentially a beta test build).
Once the features in CURRENT are decided to be dealt with and fixed/patched up, they are filtered down into the next RELEASE build. This is the one that is suggested to be used by most people, as the likelyhood of encountering any bugs at this point is remote. While it may not have the same features as the other newer builds, it will be more stable and less prone to crashes/errors.
after a while of no bug reports on any features of the RELEASE build, CPanel will put out a STABLE build. This is like the final product for that version tree. They expect no reports of problems with it at this point (and why should they, as it's been through 3 stages of testing, along with the pre-beta tests), and will be the... well, most stable. It also will be the build to have the least ammount of new features, as they will not have filtered down through the other builds yet. STABLE is the build with the least ammount of updates posted on it, as it usually requires quite some time of no bug reports before it can be posted.

So, while a STABLE release may have been put up a few minutes after a RELEASE build, the features in it are older and therefor it is not a newer build.

 

[jrehmer]

So no one actually reads what the description of each build is?
Run a search on the forum... this has been discussed to GREAT extent in the past.
You start at Bleeding EDGE. This is the release that has the newest features, and likely the newest bugs.
Those features, when decided to be through the initial bugcheck phase, filter down into the next release of CURRENT. Still not quite clean enough, you may expereince whatever bugs were not caught by EDGE users (since there are more people willing to use a CURRENT build than EDGE, which is essentially a beta test build).
Once the features in CURRENT are decided to be dealt with and fixed/patched up, they are filtered down into the next RELEASE build. This is the one that is suggested to be used by most people, as the likelyhood of encountering any bugs at this point is remote. While it may not have the same features as the other newer builds, it will be more stable and less prone to crashes/errors.
after a while of no bug reports on any features of the RELEASE build, CPanel will put out a STABLE build. This is like the final product for that version tree. They expect no reports of problems with it at this point (and why should they, as it's been through 3 stages of testing, along with the pre-beta tests), and will be the... well, most stable. It also will be the build to have the least ammount of new features, as they will not have filtered down through the other builds yet. STABLE is the build with the least ammount of updates posted on it, as it usually requires quite some time of no bug reports before it can be posted.

So, while a STABLE release may have been put up a few minutes after a RELEASE build, the features in it are older and therefor it is not a newer build.

I don't know how much research you have done on your own, but generally I don't see very much difference in code or files between Release and Stable, with the exception of the last Stable build which was extremely old. Maybe the way you look at it is what cPanel tells you, but that is not necessarily the case.

You are still deviating from my original question about SpamAssassin.

 

[NightStorm]

I'm still not sure how it's a deviation. You asked when spamassassin would be updated, and were told quite clearly that it already is updated in the more recent CPanel builds. That's pretty simple, really.
You in turn argued that you're using a more recent build than the one you were told to update to... which resulted in my posting to show you how you were mistaken.
In closing, RELEASE is using SpamAssassin version 3.1.3. If you want to update spamassassin to a more recent version than 3.1.2, you will need to, as I and others have said, update to a more recent build of CPanel, and risk the chance you may run into bugs.
You want to know when STABLE will have an updated copy, well, you'll just have to do what I said and either update to a different build, or wait for the period of time while RELEASE has all the bugs patched up and then gets filtered down to the build you are using.

 

[jrehmer]

I'm still not sure how it's a deviation. You asked when spamassassin would be updated, and were told quite clearly that it already is updated in the more recent CPanel builds. That's pretty simple, really.
You in turn argued that you're using a more recent build than the one you were told to update to... which resulted in my posting to show you how you were mistaken.
In closing, RELEASE is using SpamAssassin version 3.1.3. If you want to update spamassassin to a more recent version than 3.1.2, you will need to, as I and others have said, update to a more recent build of CPanel, and risk the chance you may run into bugs.
You want to know when STABLE will have an updated copy, well, you'll just have to do what I said and either update to a different build, or wait for the period of time while RELEASE has all the bugs patched up and then gets filtered down to the build you are using.

I moved to RELEASE, still 3.1.2, I moved to EDGE, still 3.1.2.

Any way to manually update it as its obviously not getting done. I have 3 RHEL3 and 7 RHEL4 boxes that all are running SpamAssassin 3.1.2 and ALL have been upgraded to the latest EDGE (some are on RELEASE, I was just proving my point).

 

[NightStorm]

WHM 10.8.0 cPanel 10.8.2-C118
RedHat Enterprise 3 i686 - WHM X v3.1.0

Just from running standard nightly updates:

# spamassassin -V
SpamAssassin version 3.1.3
running on Perl version 5.8.7

It's a longshot, but try removing spamassassin from your CPanel modules, then reinstall it. That used to work for phpBB

 

[jrehmer]

Just from running standard nightly updates:It's a longshot, but try removing spamassassin from your CPanel modules, then reinstall it. That used to work for phpBB

I don't see it listed as an Addon module?

 

[sparek-3]

You may have some old cpan mirrors that perl is using, try:

rm -rf /root/.cpcpan /home/.cpan
/scripts/realperlinstaller --force Mail::SpamAssassin

A word of caution -- This is just my obligatory word of caution when using rm -rf. Using this command will delete everything under a directory and the directory itself. Always be careful when using rm -rf

 

[jamesbond]

http://spamassassin.apache.org/advisories/cve-2006-2447.txt

It only affects systems where spamd is used with vpopmail virtual
users, via the "-v" / "--vpopmail" switch, AND with the "-P" /
"--paranoid" switch. This is not default on any distro package, and
is not a common configuration. You are only vulnerable if *both* of
those switches are in use. Removing the "-P" / "--paranoid" switch
is an effective workaround with no significant side-efects.

 

[chirpy]

The version of SpamAssassin has no relation whatsoever to the build of cPanel you have installed.

It's a perl module and as such is upgraded when upcp runs overnight and when your local cpan mirror gets it.

There's no need to remove SpamAssassin at all. All you should need is:

/scripts/perlinstaller --force Mail::SpamAssassin

 

[jamesbond]

spamassassin -v shows 3.1.3, but when I look in the e-mail headers it says:

X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10)

 

[boeki]

X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)

that's running on cPanel 10.8.2-S120

 

[jamesbond]

Restarting exim worked for me:

X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)

 

[jrehmer]

Restarting exim worked for me:

X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)

Thats because SpamAssassin isn't just a Perl module, like someone else said.