[Kolab-devel] Security Issue 26 for Kolab Server (SpamAssassin)

Sascha Wilde wilde at intevation.de
Mon Jan 4 13:22:33 CET 2010 

Kolab Security Issue 26 20100104
================================

Package:              Kolab Server, SpamAssassin
Vulnerability:        mail lossage
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

The Apache SpamAssassin spam filter shipping with Kolab Server
includes an rule named FH_DATE_PAST_20XX which triggers on most mail
with a Date header that includes the year 2010 or later.

This adds 3.2 to the spam score of nearly every mail send past 2009.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of SpamAssassin 3.2.0 to 3.2.5.
Kolab Server 2.2.3 and previous releases are affected.


Fix
~~~

Add the following line to
/kolab/etc/kolab/templates/local.cf.template:

score FH_DATE_PAST_20XX 0.0

or update your kolabd package:

OpenPKG packages for Kolab Server 2.2.3 are available from
http://files.kolab.org/server/security-updates/20100104/
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Lenny)
is available as kolabd-2.2.3-20100104.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Etch)
is available as kolabd-2.2.3-20100104.ix86-debian4.0-kolab.rpm

After that run as root: /kolab/sbin/kolabconf

Older versions of Kolab Server don't have local.cf.template, you
will have to edit /kolab/etc/spamassassin/local.cf and after that
restart amavisd with: /kolab/etc/rc.d/rc.amavisd restart

You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 4BB86568
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS

The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild ...path/to.../kolabd-2.2.3-20100104.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/kolabd-2.2.3-20100104.<ARCH>-<OS>-kolab.rpm	
$ exit
# /kolab/sbin/kolabconf

To install a binary package, just skip the --rebuild step.


Details
~~~~~~~

http://wiki.apache.org/spamassassin/Rules/FH_DATE_PAST_20XX
	Description of the problematic rule including note on the
	misbehavior of older versions.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269
	Bug report in the official upstream tracker.

Timeline
~~~~~~~~
    20100101 Upstream Bug Report
    20100102 Discussion and hotfix on kolab-users at kolab.org
    20100104 Updated kolabd package available and Kolab Server
             security advisory published.
-- 
Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20100104/ca0d1113/attachment.sig>

More information about the devel mailing list