On 02/10/2011 09:42 AM, Michael Scheidell wrote: > active exploits going on. > > <http://seclists.org/fulldisclosure/2010/Mar/140> > <http://www.securityfocus.com/bid/38578> > > Vulnerable: SpamAssassin Milter Plugin SpamAssassin Milter Plugin 0.3.1 > > I don't see anything on bugtraq about a fix.
The fix (to use popenenv in place of popen) has been noted on the spamass-milter list. It was released downstream by both Red Hat and Debian in March 2010: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228 I've attached the current diff from Debian (note it includes everything, including the debian/ subdirectory, rather than just that one issue). ... Why is Amavis here for the ride? They don't use spamass-milter!
spamass-milter_0.3.1-10.diff.gz
Description: GNU Zip compressed data
signature.asc
Description: OpenPGP digital signature