http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3838
[EMAIL PROTECTED] changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Insecure dependency in eval |allow_user_rules causes
|while running setuid |'Insecure dependency in eval
| |while running setuid'
------- Additional Comments From [EMAIL PROTECTED] 2006-02-13 19:45 -------
So judging by list traffic, it now seems that everyone here is using
"allow_user_rules 1", right? That's an important detail; speak up if not.
Also, everyone is seeing this with spamd?
does anyone see this with Amavisd-new? (if not, maybe we should look into
copying Mark's technique.)
It's a bug in perl's taint-tracking, where it loses track of what strings are
tainted, I think possibly after lots and lots of eval '' invocations. Normally,
without user rules, there are few of those; but with user rules, every time the
user rules file is read, they have to be compiled and an eval '' takes place, so
user rules would cause this to be more likely to occur on perl versions with the
bug.
Setting spamd's --max-conn-per-child setting to something lower (try 50) may
reduce the likelihood of this perl bug occurring before the spamd child is
recycled.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
