The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache SpamAssassin Security Issue

Discussion in 'EasyApache' started by jrehmer, Jun 7, 2006.

  1. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I noticed that on my server 10.8.2-STABLE_120 that I am running SpamAssassin 3.1.2 which is considered vulnerable according to a new CVE released. I am referencing Common Vulnerabilities and Exposures: CVE-2006-2447.

    Is there a plan to upgrade this component?
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Consider moving up to the RELEASE build for more current updates. SpamAssassin has a newer version here.
     
  3. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    The release build is older than the stable build...so I don't see how it would include a newer version of spamassassin.
     
  4. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    ... Ehh?

    EDGE
    Edge is the bleeding edge tree. While it has the newest features; It has undergone the least amount of testing (if any). You generally shouldn't run this build unless you need a bug fix or feature in it. Once an equivalent CURRENT or RELEASE build has been released, you should switch away from this.

    CURRENT
    Current builds are more mature than the EDGE builds since they have been tested in a production environment.

    RELEASE
    Release builds are the prefered builds to run. They are generally current enough to have the latest bugfixes and new features, but without the worry of new bugs being introduced.

    STABLE Stable builds are for the consverative people who do not wish to run the latest release.

    Stable would be the oldest build of the list. And in this case, until last week, the last update for STABLE was in January, whereas RELEASE had been receiving an update nearly every day for the past 2 weeks.
     
  5. boeki

    boeki Active Member

    Joined:
    Jan 30, 2004
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    STABLE
    10.8.2-STABLE_120
    (Sat May 27 14:20:24 2006)

    RELEASE
    10.8.2-RELEASE_119
    (Sat May 27 14:08:05 2006)

    ... Ehh?
     
  6. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    See, I am right...it makes Stable "newer" than Release...
     
  7. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    So no one actually reads what the description of each build is?
    Run a search on the forum... this has been discussed to GREAT extent in the past.
    You start at Bleeding EDGE. This is the release that has the newest features, and likely the newest bugs.
    Those features, when decided to be through the initial bugcheck phase, filter down into the next release of CURRENT. Still not quite clean enough, you may expereince whatever bugs were not caught by EDGE users (since there are more people willing to use a CURRENT build than EDGE, which is essentially a beta test build).
    Once the features in CURRENT are decided to be dealt with and fixed/patched up, they are filtered down into the next RELEASE build. This is the one that is suggested to be used by most people, as the likelyhood of encountering any bugs at this point is remote. While it may not have the same features as the other newer builds, it will be more stable and less prone to crashes/errors.
    after a while of no bug reports on any features of the RELEASE build, CPanel will put out a STABLE build. This is like the final product for that version tree. They expect no reports of problems with it at this point (and why should they, as it's been through 3 stages of testing, along with the pre-beta tests), and will be the... well, most stable. It also will be the build to have the least ammount of new features, as they will not have filtered down through the other builds yet. STABLE is the build with the least ammount of updates posted on it, as it usually requires quite some time of no bug reports before it can be posted.

    So, while a STABLE release may have been put up a few minutes after a RELEASE build, the features in it are older and therefor it is not a newer build.
     
  8. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I don't know how much research you have done on your own, but generally I don't see very much difference in code or files between Release and Stable, with the exception of the last Stable build which was extremely old. Maybe the way you look at it is what cPanel tells you, but that is not necessarily the case.

    You are still deviating from my original question about SpamAssassin.
     
  9. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm still not sure how it's a deviation. You asked when spamassassin would be updated, and were told quite clearly that it already is updated in the more recent CPanel builds. That's pretty simple, really.
    You in turn argued that you're using a more recent build than the one you were told to update to... which resulted in my posting to show you how you were mistaken.
    In closing, RELEASE is using SpamAssassin version 3.1.3. If you want to update spamassassin to a more recent version than 3.1.2, you will need to, as I and others have said, update to a more recent build of CPanel, and risk the chance you may run into bugs.
    You want to know when STABLE will have an updated copy, well, you'll just have to do what I said and either update to a different build, or wait for the period of time while RELEASE has all the bugs patched up and then gets filtered down to the build you are using.
     
  10. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I moved to RELEASE, still 3.1.2, I moved to EDGE, still 3.1.2.

    Any way to manually update it as its obviously not getting done. I have 3 RHEL3 and 7 RHEL4 boxes that all are running SpamAssassin 3.1.2 and ALL have been upgraded to the latest EDGE (some are on RELEASE, I was just proving my point).
     
  11. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just from running standard nightly updates:
    It's a longshot, but try removing spamassassin from your CPanel modules, then reinstall it. That used to work for phpBB
     
  12. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I don't see it listed as an Addon module?
     
  13. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You may have some old cpan mirrors that perl is using, try:

    Code:
    rm -rf /root/.cpcpan /home/.cpan
    /scripts/realperlinstaller --force Mail::SpamAssassin
    A word of caution -- This is just my obligatory word of caution when using rm -rf. Using this command will delete everything under a directory and the directory itself. Always be careful when using rm -rf
     
  14. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    http://spamassassin.apache.org/advisories/cve-2006-2447.txt

     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The version of SpamAssassin has no relation whatsoever to the build of cPanel you have installed.

    It's a perl module and as such is upgraded when upcp runs overnight and when your local cpan mirror gets it.

    There's no need to remove SpamAssassin at all. All you should need is:

    /scripts/perlinstaller --force Mail::SpamAssassin
     
  16. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    spamassassin -v shows 3.1.3, but when I look in the e-mail headers it says:

    X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) :confused:
     
  17. boeki

    boeki Active Member

    Joined:
    Jan 30, 2004
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)

    that's running on cPanel 10.8.2-S120
     
  18. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Restarting exim worked for me:

    X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)
     
  19. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO

    Thats because SpamAssassin isn't just a Perl module, like someone else said.
     
Loading...

Share This Page