On Sunday December 6 2009 13:39:51 Justin Mason wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1391
> Do we need to do anything about this? Probably not. The Compress::Raw::Zlib is used by Compress::Zlib which is used by SpamAssassin to optionally decompress spamc/spamd communication, at least the DependencyInfo.pm claims so. This could potentially be exploited by a rogue spamc-lookalike client (which could fabricate an arbitrary zip), but not by mail compressed by a regular spamc. I think the mail compressed attachments are not decompressed by SpamAssassin at all. On the amavisd side (as mentioned in the CVE), the version 2.017 of Compress::Raw::Zlib is enforced since amavisd-new-2.6.4, released in June 2009. Mark
