There were some recent reports that a mail message with large and mangled header could cause perl regular expressions used in parsing a header to exceed available memory due to deep recursion, and cause amavisd process to crash, letting such messages to stay stuck in a MTA queue, reporting unsightly 'process went away' by amavisd-nanny, and leaving behind temporary directories.
It is not a security threat, but is annoying nevertheless, so I decided to release a last maintenance release of 2.5, collecting all bug fixes that have accumulated by now, and leave all new features to 2.6 (to be pre-released soon). amavisd-new-2.5.3-rc1 release candidate is available at: http://www.ijs.si/software/amavisd/amavisd-new-2.5.3-rc1.tar.gz Please try it out - I plan to release it in two or three days. There are no compatibility issues with 2.5.2. amavisd-new-2.5.3 release notes BUG FIXES - fix parsing a SMTP status response from MTA when releasing from a quarantine, when a MTA response did not include an enhanced status code (RFC 3463), (such as with old versions of Postfix); failed parsing resulted in attribute "setreply=450 4.5.0 Unexpected:..." in AM.PDP protocol response, even though a release itself was successful; reported by Ron Miller, John M. Kupski, investigated by Tony Caduto and Jeremy Fowler; - change parsing of addresses in From, To, and Cc header fields, avoiding complex Perl regular expressions which could crash a process on certain degenerate cases of these header fields; thanks for detailed problem reports to Carsten Luehrs and Attila Nagy; - completely rewritten parsing of Received header field to work around a Perl regular expression problem which could crash a process on certain degenerate cases of mail header fields; problem reported by Thomas Gelf; - harden to some extent regular expressions in parse_message_id to cope better with degenerate cases of header fields carrying message-id; - sanitize 8-bit characters in In-Reply-To and References header fields before using them in Pen Pals SQL lookups to avoid UTF-8 errors like: penpals_check FAILED: sql exec: err=7, 22021, DBD::Pg::st execute failed: ERROR: invalid byte sequence for encoding "UTF8": 0xd864 - when turning virus names into a spam report, avoid adding newly discovered virus (=fraud) names to a cached list if the same names are already listed; previously the list would just grow on each passage through a cache, leading to unsightly long lists of spam tests in a report; based on a patch by Henrik Krohns; OTHER - reduce log clutter when certain Perl modules are loaded late, after chrooting and daemonizing, but still before a fork; now only issue one log entry by a parent process: "extra modules loaded after daemonizing: "; - slightly relax e-mail syntax in subroutine split_address; - fetch additional information (tags) from SpamAssassin: TESTS, ASN, ASNCIDR, DKIMDOMAIN, DKIMIDENTITY, and AWLSIGNERMEAN, making them available through macro 'supplementary_info' (if a version of SpamAssassin in use provides them); - declared a dummy subroutine dkim_key and new dummy configuration variables @dkim_signing_options_bysender_maps, %signed_header_fields, and $sql_partition_tag, also members of policy banks, in preparation for 2.6.0 - declared now for upwards/downwards compatibility; Mark ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
