Menu
▾
▴
amavis-announce — General Announcements by the AMaViS Team
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(5) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
(2) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(2) |
Jul
(4) |
Aug
(3) |
Sep
|
Oct
(1) |
Nov
(5) |
Dec
|
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
(3) |
Sep
(1) |
Oct
(3) |
Nov
(2) |
Dec
|
| 2003 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
|
May
(2) |
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: Rainer L. <li...@su...> - 2001-11-23 12:53:21
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 23/11/2001
affected version(s): AMaViS-0.2.1, if reformime is used
amavis-perl/amavisd is _NOT_ affected
Vulnerability Type: eMail worm W32/Aliz may not be detected
in all cases
Priority: urgent
Solution: upgrade to amavis-perl/amavisd
use ripMIME instead
Author: Rainer Link <li...@su...>
Lars Hecking <lhe...@us...>
Advisory ID: ASA-2001-1
Status: author of reformime contacted - no reply yet
- ----------------------------------------------------------------------------
1. Problem description
AMaViS uses reformime to split a eMail message into parts, i.e. the mail
body and the attachment file(s).
The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked
by default.
reformime is not able to handle any message where the mail header contains
a MIME Content-Type header followed by whitespace indented header lines, e.g.
Content-Type: multipart/mixed;
boundary="bound"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300
Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known
virus/worm will be detected by the used virus scanner(s).
2. Impact
It is possible that the W32/Aliz worm is not detected and an infected
eMail is delivered to the user.
NOTE: metamail is able to handle such mails correctly, but fails to
handle multipart/alternative messages (in some cases?). Please see
the AMaViS Security Announcement 2000-1 for details.
It seems only ripMIME currently works in both cases, too.
3. Solution
We strongly recommend to upgrade to amavis-perl/amavisd,
as the development of AMaViS 0.2.x branch has been discontinued since
July, 2001
(http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2)
As upgrading could be a big step which takes some time, please use the
following workaraound/fix:
1. Grab the latest ripMIME from http://www.pldaniels.com/ripmime/#downloads
2. Install it
3. Open /usr/sbin/scanmails in your favorite editor and
3.1 search for the line metamail=<path/binary> in the configuration
section of the scanmails script. Change this to the location of
ripmime, i.e. to
metamail=/usr/local/bin/ripmime
3.2 Search for the following line
${metamail} -x ${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1
Change this to
${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail > /dev/null 2>&1
4. Save the file
5. Generate a test message with the EICAR Test-File-Virus
(http://www.eicar.com/anti_virus_test_file.htm)
to check if ripMIME is configured correctly within the scanmails script.
4. Acknowledgement
We would like to thank Ger Donohue, Mark Martinec and Enrico Binder
for reporting this problem to us and everyone who send us mail samples
to reproduce it.
5. References
http://www.linux.ie/pipermail/ilug/2001-November/039609.html
http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&at
id=106006
http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&atid=106006
http://sourceforge.net/tracker/index.php?func=detail&aid=484522&group_id=6006&atid=106006
http://marc.theaimsgroup.com/?t=100643616600009&w=2&r=1
http://marc.theaimsgroup.com/?l=amavis-user&m=100644967914633&w=2
http://www.amavis.org/security/asa-2000-1.txt
http://www.amavis.org/
6. Revision History
22/11/2001: Initial release
23/11/2001: Solution section updated
Re-issued as the script is /usr/sbin/scanmails
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE7/ka2mxoFTBO0QHkRAg4sAJ0RBTgppz2C4buHkPyW01r9NEhDKQCdH877
A300m7ulHqErg4k9bDTf/uE=
=a9xG
-----END PGP SIGNATURE-----
--
Rainer Link | SuSE - The Linux Experts
li...@su... | Developer of A Mail Virus Scanner (www.amavis.org)
www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
|
|
From: Rainer L. <li...@su...> - 2001-11-23 12:50:52
|
On Fri, 23 Nov 2001, Rainer Link wrote: > 3. Open /usr/sbin/amavis in your favorite editor and This should be /usr/sbin/scanmails of course! Thanks to Christian for pointing this out. I'm sorry. To avoid confusion, I'll re-issue this ASA. best regards, Rainer Link (SuSE Labs) -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
|
From: Rainer L. <li...@su...> - 2001-11-23 12:01:43
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 23/11/2001
affected version(s): AMaViS-0.2.1, if reformime is used
amavis-perl/amavisd is _not_ affected
Vulnerability Type: eMail worm W32/Aliz may not be detected
in all cases
Priority: urgent
Solution: upgrade to amavis-perl/amavisd
use ripMIME instead
Author: Rainer Link <li...@su...>
Lars Hecking <lhe...@us...>
Advisory ID: ASA-2001-1
Status: author of reformime contacted - no reply yet
- ----------------------------------------------------------------------------
1. Problem description
AMaViS uses reformime to split a eMail message into parts, i.e. the mail
body and the attachment file(s).
The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked
by default.
reformime is not able to handle any message where the mail header contains
a MIME Content-Type header followed by whitespace indented header lines, e.g.
Content-Type: multipart/mixed;
boundary="bound"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300
Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known
virus/worm will be detected by the used virus scanner(s).
2. Impact
It is possible that the W32/Aliz worm is not detected and an infected
eMail is delivered to the user.
NOTE: metamail is able to handle such mails correctly, but fails to
handle multipart/alternative messages (in some cases?). Please see
the AMaViS Security Announcement 2000-1 for details.
It seems only ripMIME currently works in both cases, too.
3. Solution
We strongly recommend to upgrade to amavis-perl/amavisd,
as the development of AMaViS 0.2.x branch has been discontinued since
July, 2001
(http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2)
As upgrading could be a big step which takes some time, please use the
following workaraound/fix:
1. Grab the latest ripMIME from http://www.pldaniels.com/ripmime/#downloads
2. Install it
3. Open /usr/sbin/amavis in your favorite editor and
3.1 search for the line metamail=<path/binary> in the configuration
section of the amavis script. Change this to the location of
ripmime, i.e. to
metamail=/usr/local/bin/ripmime
3.2 Search for the following line
${metamail} -x ${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1
Change this to
${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail > /dev/null 2>&1
4. Save the file
5. Generate a test message with the EICAR Test-File-Virus
(http://www.eicar.com/anti_virus_test_file.htm)
to check if ripMIME is configured correctly within the amavis script.
4. Acknowledgement
We would like to thank Ger Donohue, Mark Martinec and Enrico Binder
for reporting this problem to us and everyone who send us mail samples
to reproduce it.
5. References
http://www.linux.ie/pipermail/ilug/2001-November/039609.html
http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&at
id=106006
http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&atid=106006
http://sourceforge.net/tracker/index.php?func=detail&aid=484522&group_id=6006&atid=106006
http://marc.theaimsgroup.com/?t=100643616600009&w=2&r=1
http://marc.theaimsgroup.com/?l=amavis-user&m=100644967914633&w=2
http://www.amavis.org/security/asa-2000-1.txt
http://www.amavis.org/
6. Revision History
22/11/2001: Initial release
23/11/2001: Solution section updated
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE7/jnnmxoFTBO0QHkRAm3rAJ9TlmapDonb1JDdgUgGypgpPH5FwQCePPJs
AH0hCTzC9OEwOuC1ish6BDI=
=X+9e
-----END PGP SIGNATURE-----
--
Rainer Link | SuSE - The Linux Experts
li...@su... | Developer of A Mail Virus Scanner (www.amavis.org)
www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
|
|
From: Rainer L. <li...@su...> - 2001-10-29 23:24:31
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! FYI, updated RPMs of amavis-sendmail and amavis-postfix for SuSE Linux 7.3 are available. I'd suggest using the YOU (YaST Online Update), but grabing them from our ftp-server (ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/) and installing them works, of course, too. This update is recommend. Sorry for any inconvenience. best regards, Rainer Link - -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE73eVsmxoFTBO0QHkRArgoAJ0dlPzFABoFF18vppwlzIOYTiCzvQCfQLs6 kaL+8uv3ZhWhXbn6Rheg4yQ= =b7ya -----END PGP SIGNATURE----- |
|
From: Rainer L. <li...@su...> - 2001-08-24 18:29:07
|
Hi! I know some exim folks is subscribed here :-) I really appreciate any comments on using a system filter. What are the pros/cons compared to the current setup? Is it really needed to re-submit a message when using a system filter? (hopefully I will be able to give it a try myself over the weekend ...) Thanks a lot! best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) ---------- Forwarded message ---------- Date: Sat, 18 Aug 2001 00:38:57 +0900 From: SONE Takeshi <ts...@ts...> To: Dan Egli <eg...@ya...> Cc: ama...@li..., exi...@ex... Subject: Re: [AMaViS-user] exim system filter? On Thu, Aug 16, 2001 at 09:57:20AM -0600, Dan Egli wrote: > If you know how, go ahead and post it. In the mean time, directors and > routers work. I'm not an experienced Exim/AMaViS hacker, but my first attempt looks working ok. In the MAIN CONFIGURATION of exim.conf: # AMaViS filter message_filter = /etc/exim/amavis_filter message_filter_pipe_transport = amavis_pipe message_filter_user = amavis In the TRANSPORTS CONFIGURATION: # AMaViS filter pipe transport amavis_pipe: driver = pipe path = "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" current_directory = "/var/amavis" Finally, the system filter file, /etc/exim/amavis_filter is very simple: # Exim filter if $received_protocol is not "scanned-ok" then pipe "/usr/sbin/amavis <$sender_address> $recipients" endif (Also, I added amavis to trusted_user.) (I posted a mail from remote host to two remote recipients.) 2001-08-18 00:07:50 15XlDy-0001rn-00 <= ts...@ts... H=arndok.tsn.or.jp [202.217.183.35] U=mail P=esmtp S=678 id=200...@ts... 2001-08-18 00:07:50 15XlDy-0001rn-00 original recipients ignored (message_filter) 2001-08-18 00:07:51 15XlDz-0001ry-00 <= ts...@ts... U=amavis P=scanned-ok S=905 id=200...@ts... 2001-08-18 00:07:51 15XlDy-0001rn-00 => |/usr/sbin/amavis <$sender_address> $recipients <message filter> T=amavis_pipe 2001-08-18 00:07:51 15XlDy-0001rn-00 Completed 2001-08-18 00:07:51 15XlDz-0001ry-00 == ts...@cm... T=remote_smtp defer (-1): domain matches queue_smtp_domains, or -odqs set 2001-08-18 00:07:51 15XlDz-0001ry-00 == ts...@ts... T=remote_smtp defer (-1): domain matches queue_smtp_domains, or -odqs set 2001-08-18 00:08:01 Start queue run: pid=7202 2001-08-18 00:08:01 15XlDz-0001ry-00 => ts...@ts... R=lookuphost T=remote_smtp H=ki-ki.tsn.or.jp [202.217.183.34] 2001-08-18 00:08:07 15XlDz-0001ry-00 => ts...@cm... R=lookuphost T=remote_smtp H=kky.cma.co.jp [202.217.183.2] 2001-08-18 00:08:07 15XlDz-0001ry-00 Completed 2001-08-18 00:08:07 End queue run: pid=7202 (This Exim is configured to defer all remote SMTP connections, queue_smtp_domains = *). I would like comments from serious Exim and/or AMaViS hackers. Thanks. -- Takeshi _______________________________________________ AMaViS-user mailing list AMa...@li... http://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 |
|
From: Rainer L. <li...@su...> - 2001-08-16 15:39:00
|
Hi!
If you're using the sendmail relay hack (successfully) would you be
kind enough to send me your configuration, i.e.
- which version of amavis _exactly_
- which version of sendmail
- permissions of /usr/sbin/sendmail, /var/spool/mqamavis,
/var/spool/mqueue, /var/amavis, /var/virusmails
- _all_ changes to your sendmail config (sendmail.cf), such as Mamavis (or
RunAs, DefaultUser stuff, if used)
- which OS exactly (i.e SuSE Linux 7.0, RedHat 7.0, Sun Solaris 8)
Background: I used the sendmail relay hack in the past successfully on my
SuSE systems with sendmail 8.9.3 and 8.11.x (amavis 0.2.1 and
amavis-perl-10, IIRC), before I switched to sendmail-milter and postfix.
The configuration I used is described in README.sendmail (esp. the example
configuration section). But, well, it's a hack, and a lot of ppl complained
in the past about it ("it simply does not work - I've tried several
configs/permissions"). Unfortunately, my time is simply too limited to dig
into it :-(
Either I/we can manage to improve README.sendmail, so ppl are able to get
it working or I'll remove the sendmail relay hack completly for the next
release.
Thanks a lot for your participation and input!
best regards,
Rainer Link
--
Rainer Link | SuSE - The Linux Experts
li...@su... | Developer of A Mail Virus Scanner (amavis.org)
www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
|
|
From: Lars H. <lhe...@us...> - 2001-08-13 13:00:50
|
Hi all. We have now set up a repository for contributed software, patches etc. It can be reached at http://www.amavis.org/contrib/ (only), and there is also a link to it from the main page. No funky html index page yet, but I would like to ask everyone to review 0README. If some of the software is outdated, but a web page is available (Furio?), I would simple add the link instead of keeping an up-to-date copy. All contributions are welcome! |
|
From: Rainer L. <li...@su...> - 2001-07-16 17:24:17
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The development of the AMaViS 0.2.x branch (the shell script version) has been officially discontinued, as no AMaViS Developer works on it and/or uses it. Moreover, our time is simply too limited to work on several branches. Therefore the last official release is AMaViS 0.2.1, although I was working on an AMaViS 0.2.2 release month ago, which is checked into CVS. Please see http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/amavis/amavis/ChangeLog?rev=1.18&content-type=text/vnd.viewcvs-markup&only_with_tag=MAIN for details. NOTE: The CVS stuff is broken, esp. the sendmail part. I have not had the time in the past months to fix it. If anyone is willing to take over maintainership, please raise your hand :-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE7UxRzmxoFTBO0QHkRApkSAKCF+3fV8AV+lYL6eU/YMmLM1KbMzQCfZ6yl TcNe6F7AmC1FAXIuMrwna68= =8xRh -----END PGP SIGNATURE----- -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
|
From: Rainer L. <li...@su...> - 2001-07-15 14:54:52
|
amavisd-smtp is a spin-off from the regular amavisd-branch. It was originally developed for a SuSE Business Product, but the decision was not to use amavisd-smtp for this product. Therefore I've decided to release it to the public yet, although it's not that well tested and some planned features are missing (and some "FIXMEs" are still in the code). The requirements for amavisd-smtp were: * full support of postfix content filtering API (advanced content filtering example) - amavisd-smtp receives and sends mail via SMTP. * a real config-file (and not a perl-script *g*) - amavisd.conf is now in Ini-style format * virus scanner code is included at run-time (required to be able to change used virus-scanners via web interface) * web-based administration, for this purpose it comes with amavisconf (similar to postconf). The admin interface is not included, as it depends (havily) on stuff developed by SuSE and it's not GPL'ed. What's missing (originally on my TODO list): * content filtering support * graphical stats, ie.e for Top 10 virusses * more modular design As amavisd-smtp is no longer an official SuSE project, my time will be somewhat limited to work on it (other stuff on my general TODO list has a higher prio) and I'm not sure if I'll add the missing features mentioned above. amavisd-smtp is in sync with the latest amavisd-snapshot release. Please keep in mind this is an _EXPERIMENTAL_ release - anyone is welcome "to play with it". Please _DO NOT_ use it for production environments! For details please read the ChangeLog within the package. Instruction details for postfix can be found in README.postfix. You can grab the source tarball at ftp://ftp.suse.com/pub/people/link/amavis/amavisd-smtp/ Currently no (S)RPMs available yet. Feedback is welcome. Have fun :-) best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
|
From: Rainer L. <li...@su...> - 2001-07-14 18:34:23
|
New (S)RPMs of the new amavisd-snapshot for sendmail/postfix are available at: ftp://ftp.suse.com/pub/people/link/amavis/SuSE/7.2/sendmail/ ftp://ftp.suse.com/pub/people/link/amavis/SuSE/7.2/postfix/ Please read the provided INSTALL.TXT and README.SuSE within the package(s) carefully. Feedback is welcome, any packaging issue should be reported directly to me. Thanks. If you do not use H+B EDV AntiVir, please edit /etc/amavisd.conf. Have fun :-) best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
|
From: Lars H. <lhe...@us...> - 2001-07-14 17:51:33
|
The second public snapshot of amavisd is now available. amavisd is the daemonised version of amavis-perl. http://www.amavis.org/ http://sourceforge.net/projects/amavis/ amavis-snapshot-20010714 * bugfix for daemon parent blocking * support for sendmail 8.12 milter * proper handling of lha archives created under DOS * drop requirement for file command to be brief NB.: amavis still requires a file command that recognises TNEF files! * decompress zip files only the compression method is supported; leave other archives to the virus scanner (this is open to debate) |
|
From: Rainer L. <li...@su...> - 2001-06-07 13:07:41
|
Hi! A known bugs list / FAQ for amavis-perl & amavisd is available at http://www.amavis.org/amavis-faq.php3 Please check this page first before posting to amavis-user. Any contributions to this page are welcome. Thanks! best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
|
From: Rainer L. <li...@su...> - 2001-06-07 12:24:24
|
[ NOTE: http://www.amavis.org/amavis-user-guidelines.php3 ] Some guidelines for the amavis-user mailing list. Loosely based on http://www.openbsd.org/mail.html. Netiquette ---------- Be considerate of other subscribers on the mailing list. Plain text, 72 characters per line Many subscribers read their mail on text-based mailers (mail(1), emacs) and they find HTML-formatted messages, or lines that stretch beyond 72 characters often unreadable. Do your homework before you post If you have an installation question, make sure that you have read the relevant documents such as the README and README.* text files in the top level directory of the source distribution. The mailing list archive is also a valuable resource. Include a useful Subject line Including a relevant Subject in the message will ensure that more people actually read what you've written. Also, avoid Subject lines with excessive capitalization. Trim your signature Keep the signature lines at the bottom of your mail to a reasonable length. Posts are rarely critical enough to warrant a PGP signature, and those automatic address cards are merely annoying. Stay on topic Please keep the subject of the post relevant to users of AMaViS. Technical --------- The active AMaViS development team is quite small. To make sure that all problem reports can be processed efficiently, please provide all necessary information in the initial report: - version of amavis - version of MTA - MTA config details - log file evidence - other useful information, depending on the nature of the problem (OS, AV software, configure output etc.) Please do not send private email to the AMaViS developers. Even if you think the request or information is hardly relevant for the mailing list, others might find it useful. |
|
From: Lars H. <lhe...@us...> - 2001-04-09 12:35:48
|
http://www.amavis.org/ http://sourceforge.net/projects/amavis/ |
|
From: Rainer L. <li...@su...> - 2000-12-11 21:04:46
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 12/11/2000
affected version(s): AMaViS-Perl below AMaViS-Perl-10
Vulnerability Type: script viruses (i.e. vbs worms) may not
be detected
Priority: urgent
Solution: upgrade to AMaViS-Perl-10
Author: Lars Hecking <lhe...@nm...>
Rainer Link <li...@su...>
Advisory ID: ASA-2000-5
- ---------------------------------------------------------------------------
1. Problem description
AMaViS-Perl uses a Perl module to decode (uudecode/xxdecode or binhex) every
file which is recognised by file(1) as ASCII, text, uuencode, xxencode or
binhex. If a (ASCII, text) file is _not_ encoded, the resulting file is
zero bytes long and the original file will be deleted as usual
as AMaViS-Perl fails to detect this error case. Therefore the
virus itself will be deleted.
2. Impact
Obvious. This bug can let script viruses go undetected.
3. Solution
Upgrade to AMaViS-Perl-10.
4. Acknowledgement
This bug was discovered accidentally by Lars Hecking.
5. References
https://sourceforge.net/projects/amavis/
http://www.amavis.org/
6. Revision History
12/11/2000: initial release
===========================================================================
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O
yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB
RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o
pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx
JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4
g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8
x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ
+U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv
0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl
cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE
AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ
AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX
VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/
g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r
UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V
IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe
e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E
K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r
IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ
EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX
qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl
PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45
eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS
FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz
uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL
FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN
IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo
nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii
5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw
2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR
3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM
UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb
dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S
fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA
BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ
VrZ22GYrSJJn3sNjQKAHd3w=
=Fsd9
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE6NTs/mxoFTBO0QHkRAqRpAJ9MlL/MYBXBoHQ7zMgGc57BVTNdGQCgoKed
EuhcY4RJI8U7AEG9IXem77k=
=UWlO
-----END PGP SIGNATURE-----
--
Rainer Link | SuSE - The Linux Experts
li...@su... | Developer of A Mail Virus Scanner (amavis.org)
www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
|
|
From: Lars H. <lhe...@us...> - 2000-12-07 18:46:58
|
A potential hole for script viruses as well as a few problems with configure were fixed. Details at http://sourceforge.net/project/shownotes.php?release_id=17815 |
|
From: Lars H. <lhe...@us...> - 2000-11-24 11:35:03
|
Go here for details: http://sourceforge.net/project/shownotes.php?release_id=16807 |
|
From: Rainer L. <li...@su...> - 2000-10-31 17:43:47
|
Hi! Finally AMaViS 0.2.1 is out. We fixed the improper handling of TNEF files, added some hints for M4 stuff (not for the sendmail relay hack) and fixed those warning messages which appeared in the qmail log. If a virus scanner seems to be broken, it's reported now in the log file. We've updated the documentation, too. For details please check the ChangeLog file. As a personal note, I would like to thank everyone who feeded us with patches, bug reports and feedback. Last but not least SuSE Germany for funding my work. Btw, if anyone is interested in translating the documentation into his native language, please drop me a note. best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
|
From: <lhe...@us...> - 2000-10-24 18:18:47
|
As the subject says. See http://sourceforge.net/project/shownotes.php?group_id=6006&release_id=14474 for details. |
|
From: Rainer L. <li...@su...> - 2000-09-23 19:02:24
|
Hi everyone!
We just released AMaViS 0.2.1-pre3. It should fix some bugs reported to us
in the past weeks and hopefully does not break anything. Here is the
ChangeLog ...
2000-09-23 Rainer Link <li...@su...>
* README.scanners: Updated for Sophos sweep 3.37. Added update
scripts provided by AMaViS users
added section "return codes" (cut&paste out of scanmails.in)
* README.exim: fixed some typos
* README.sendmail: added example configuration for sendmail 8.11
* README.reformime: Updated
* README.postfix: Updated
* doc/: amavis.html, amavis.txt: * updated (broken?) links so far *
documentation does not actually match 0.2.1, yet * still on
TODO:
- describe links provided - add to "in the press" - fix all
that is still missing - point to various README.*
* doc/amavis.png: new logo in PNG format
* doc/amavis.gif: replaced amavis.gif with amavis.png this image
does no longer contain a version number
* configure.in: bugfix: AvpDaemonTst was not detected by configure
configure stopps if the "file" binary is not installed
Added hint to read README.metamail/README.reformime
if neither metamail nor reformime is installed
added check if metamail 1.0 or below is used
* src/scanmails/scanmails.in: improved detection for uuencoded
mails (if send inline)
moved information about return values for
the used scanners (moved to README.scanners)
improved unpacking stuff a bit
extract uuencoded file(s) if send inline
improved handling of self-extracting files a bit
improved handling of uuencoded files a bit
check the return value of AvpDaemonClient for 4 and 5
fixed a minor issue with postfix
Added -i to sendmail relay and postfix when delivering back the
eMail to avoid potential mail loss
improved postfix support
* NEWS: updated
* README: updated to release 0.2.1-pre3
* Released 0.2.1-pre3
best regards,
Rainer Link
--
Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de
Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/
Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
|
|
From: Rainer L. <li...@su...> - 2000-08-02 20:12:18
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 08/02/2000
affected version(s): AMaViS-Perl
AMaViS-0.2.1-pre1 / -pre2
AMaViS-0.2.0-pre6-clm-rl-8-12-06-2000 and later
Vulnerability Type: AMaViS can lose parts of email messages
Priority: urgent
Solution: apply patch
Author: Lars Hecking <lhe...@nm...>
Rainer Link <li...@su...>
Advisory ID: ASA-2000-4
- ---------------------------------------------------------------------------
1. Problem description
In some configurations, e.g. relay type setups, scanmails (AMaViS) and amavis
(AMaViS-Perl) is using sendmail or other MTA's sendmail wrappers to reinject
scanned emails back into the mail system. If an email message contains a
single dot on a line by itself, the sendmail program/wrapper will truncate
that message at the dot, as amavis/scanmails fails to call sendmail with
the "IgnoreDots" cmd line option (-i).
In detail:
AMaViS (scanmails) used with the following MTAs:
* sendmail, scanmails is called via Mlocal: NOT affected
* sendmail (relay setup): affected
* postfix: affected
* exim: NOT affected
AMaViS-Perl (amavis) used with the following MTAs:
* sendmail, amavis is called via Mlocal: NOT affected
* postfix (relay setup): affected
* postfix with procmail: NOT affected
* qmail: NOT affected
2. Impact
Obvious. All parts of an email message after and including a solitary dot
are lost. This problem affects all setups where mail leaves amavis through
sendmail or a sendmail-compatible wrapper. In particular, all dual-postfix
setups as described in AMaViS-Perl's README.postfix are affected. The same
is valid to AMaViS's README.postfix and AMaViS's README.sendmail.
3. Solution
3.1 AMaViS-Perl
Locate the following code in the amavis-perl script
if ($LDA eq "$sendmail_wrapper") {
unshift(@LDAARGS, "-f");
} else {
@LDAARGS = ();
}
and change it to
if ($LDA eq "$sendmail_wrapper") {
unshift(@LDAARGS, "-f");
unshift(@LDAARGS, "-oi ");
} else {
@LDAARGS = ();
}
3.2 All non-perl versions of AMaViS
Apply the attached patch to the scanmails script. It should apply ok with
more or less fuzz.
4. Acknowledgement
I discovered this by accident after receiving a mail message on the
postfix-users mailing list which quoted more parts of another message
than I remembered getting. Rainer Link provided the patch for scanmails.
5. References
https://sourceforge.net/projects/amavis/
http://amavis.org/
6. Revision History
08/02/2000: initial release
08/02/2000: some changes
===========================================================================
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O
yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB
RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o
pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx
JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4
g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8
x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ
+U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv
0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl
cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE
AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ
AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX
VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/
g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r
UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V
IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe
e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E
K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r
IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ
EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX
qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl
PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45
eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS
FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz
uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL
FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN
IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo
nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii
5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw
2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR
3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM
UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb
dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S
fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA
BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ
VrZ22GYrSJJn3sNjQKAHd3w=
=Fsd9
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5iH6/mxoFTBO0QHkRAmdwAJ4lIXUU4mpYaO8K4PNs5y1YBQ8Z7QCggJim
XPEUOucJ0sDOST4scst4dVU=
=Laao
-----END PGP SIGNATURE-----
--
Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de
Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/
Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
|
|
From: Lars H. <lhe...@nm...> - 2000-08-02 18:33:44
|
===========================================================================
AMaViS Security Announcement
Date: 08/02/2000
affected version(s): all releases of AMaViS including amavis-perl
Vulnerability Type: amavis can lose parts of email messages
Priority: urgent
Solution: apply patch
Author: Lars Hecking <lhe...@nm...>
Advisory ID: ASA-2000-4
---------------------------------------------------------------------------
1. Problem description
In some configurations, e.g. relay type setups, scanmails/amavis is using
sendmail or other MTA's sendmail wrappers to reinject scanned emails back
into the mail system. If an email message contains a single dot on a line
by itself, the sendmail program/wrapper will truncate that message at the
dot, as amavis/scanmails fails to call sendmail with the "IgnoreDots" cmd
line option (-i).
2. Impact
Obvious. All parts of an email message after and including a solitary dot
are lost. This problem affects all setups where mail leaves amavis through
sendmail or a sendmail-compatible wrapper. In particular, all dual-postfix
setups as described in amavis-perl's README.postfix are affected.
3. Solution
3.1 amavis-perl
Locate the following code in the amavis-perl script
if ($LDA eq "$sendmail_wrapper") {
unshift(@LDAARGS, "-f");
} else {
@LDAARGS = ();
}
and change it to
if ($LDA eq "$sendmail_wrapper") {
unshift(@LDAARGS, "-f");
unshift(@LDAARGS, "-oi ");
} else {
@LDAARGS = ();
}
3.2 All non-perl versions of amavis
Apply the attached patch to the scanmails script. It should apply ok with
more or less fuzz.
4. Acknowledgement
I discovered this by accident after receiving a mail message on the
postfix-users mailing list which quoted more parts of another message
than I remembered getting. Rainer Link provided the patch for scanmails.
5. References
https://sourceforge.net/projects/amavis/
6. Revision History
08/02/2000: initial release
===========================================================================
|
|
From: Rainer L. <li...@su...> - 2000-07-29 17:45:37
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 07/29/2000
affected version(s): AMaViS 0.2.1-pre1 if metamail is used
Vulnerability Type: AMaViS is configured with the wrong
switches for metamil / no mail splitting
no virus detection possible
Priority: urgent
Solution: checkout latest sources from CVS or download
at least configure.in from cvsweb.amavis.org
Author: Rainer Link <li...@su...>
Advisory ID: ASA-2000-3
- ---------------------------------------------------------------------------
1. Problem description
AMaViS 0.2.1-pre1 uses either metamail or reformime to split
an eMail message in its parts, which will be saved in
/var/tmp/scanmails<pid>/unpacked
Due to a stupid bug AMaViS will use the run-time switches for
reformime although metamail is used.
Here is a short explanation why this happens:
./configure will detect metamail, create config.cache and create
src/scanmails/scanmails correctly, this means metamail is used and
the correct run-time flags for metamail, too.
make calls ./configure --recheck, configure uses for speed reasons
the cached variables, but the check if metamail or reformime is used
fails now. Therefore src/scanmails/scanmails is created for use with
metamail *but* with the run-time flags for reformime.
2. Impact
As AMaViS (scanmails) uses the wrong run-time parameters, a mail is
not splitted and /var/tmp/scanmails<pid>/unpacked is *always*
empty. Therefore no virus will be detected at all.
3. Solution
Either checkout the latest sources from our CVS server at
http://sourceforge.net/projects/amavis/ or download at least
configure.in from http://cvsweb.amavis.org/. The direct
link is http://cvs.sourceforge.net/cgi-bin/cvsweb.cgi/~checkout~
/amavis/configure.in?rev=1.9&content-type=text/plain&cvsroot=amavis
If you download only configure.in, please do a ./reconf (it may
give you three warnings, but they can be ignored).
Remove config.cache, if this file does exits.
Then re-run ./configure with the configure options you need and do
a make && make install.
NOTE: After every update of either AMaViS or used virus scanner(s),
please test if everything works correctly be sending a mail with the
EICAR testfile virus, which can be found at
http://www.eicar.com/anti_virus_test_file.htm
4. Acknowledgment
I would like to thank Tilo Lutz who first reported to us that no virus
was discovered when metamail is used. As this was my bug, I
apologize for any inconveniences.
5. References
6. Revision History
07/29/2000: initial release
===========================================================================
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O
yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB
RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o
pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx
JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4
g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8
x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ
+U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv
0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl
cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE
AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ
AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX
VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/
g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r
UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V
IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe
e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E
K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r
IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ
EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX
qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl
PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45
eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS
FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz
uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL
FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN
IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo
nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii
5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw
2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR
3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM
UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb
dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S
fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA
BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ
VrZ22GYrSJJn3sNjQKAHd3w=
=Fsd9
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5gxczmxoFTBO0QHkRAix/AJ9zkZtogMbgXrQfOHGj9MF/Ug4rhwCfa+cU
ZsYjC4CCJuyuwnjLkvPFLR8=
=8ZNt
-----END PGP SIGNATURE-----
--
Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de
Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/
Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
|
|
From: Rainer L. <li...@su...> - 2000-07-27 15:31:34
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AMaViS Security Announcement
Date: 07/27/2000
affected version(s): AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 and later
if reformime below 1.01 is used
(AMaViS-Perl is NOT affected)
Vulnerability Type: attacker could pass virus through AMaViS /
Denial-of-Service attack against AMaViS
Priority: urgent
Solution: apply patch / update reformime
Author: Rainer Link <li...@su...>
Advisory ID: ASA-2000-2
- ---------------------------------------------------------------------------
1. Problem description
AMaViS uses reformime, part of the maildrop package, to split
eMail messages in its parts.
reformime version below 1.0 (tested with 0.76b) overwrite files
with the same file names.
reformime version 1.0 tries to avoid overwritting files but a bug
causes an endless loop.
2. Impact
reformime below 1.0: an attacker can create an eMail message with two
attachments with the same file name. The first file contains a virus,
the second one is clean. reformime overwrites the first one with the
second. Therefore no virus is detected and the mail will be delivered
to user(s).
reformime 1.0 tries to avoid clobbering of existing files but due
to a bug it will end up in an endless loop. This could be used as
a denial-of-service attack against AMaViS.
3. Solution
Apply the provided patch for reformime 1.0. Or update to maildrop 1.01,
which will be released soon according to the author.
Or if possible use AMaViS-Perl instead, which uses a Perl module for
MIME handling.
4. Acknowledgment
This bug was discovered by Rainer Link. We would like to thank Sam
Varshavchik, the author of maildrop, for providing a patch quickly.
5. References
reformime, part of the maildrop package, can be found at
http://www.flounder.net/~mrsam/maildrop/
6. Revision History
07/27/2000: initial release
===========================================================================
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O
yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB
RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o
pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx
JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4
g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8
x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ
+U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv
0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl
cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE
AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ
AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX
VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/
g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r
UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V
IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe
e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E
K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r
IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ
EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX
qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl
PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45
eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS
FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz
uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL
FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN
IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo
nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii
5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw
2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR
3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM
UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb
dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S
fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA
BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ
VrZ22GYrSJJn3sNjQKAHd3w=
=Fsd9
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5gFSamxoFTBO0QHkRAgLyAKC1i59LIB07e5V9r+wIg9kR3Dp6aQCfR3Nb
p8/9+2qTYbOksmM+9uGIeuM=
=bpQK
-----END PGP SIGNATURE-----
--
Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer
of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux
AntiVirus Project: http://lavp.sourceforge.net/
|
|
From: Rainer L. <li...@su...> - 2000-07-27 15:28:18
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================================
AMaViS Security Announcement
Date: 07/27/2000
affected version(s): all AMaViS releases using metamail, in detail
all release versions up to 0.2.0-pre6
all release versions 0.2.0-pre6-clm up
to 0.2.0-pre6-clm-rl-8
all CVS version before
0.2.0-pre6-clm-rl-8-04-07-2000
(AMaViS-Perl is NOT affected)
Vulnerability Type: some eMail worms (i.e. KAKworm) may not be
detected
Priority: urgent
Solution: update to latest CVS version, install reformime
Author: Rainer Link <li...@su...>
Advisory ID: ASA-2000-1
- ---------------------------------------------------------------------------
1. Problem description
AMaViS uses metamail do split a eMail message in its parts, i.e. the mail
body and the attachment file(s).
The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked
by default.
As metamail is very old and as it seems not maintained anymore, it is not
able to handle MIME multipart/alternative messages. Such a message
contains a plain ASCII text body part and a HTML body part, which is
created e.g. by Netscape Messanger if "Message Formatting" is set to
"Send the message in plain text and HTML".
Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known
virus/worm will be detected.
2. Impact
It is possible that a known virus/worm is not detected and an infected
eMail is delivered to the user. We got reports that this has happend
with the KAKworm.
3. Solution
Since AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 it is possible to use
reformime as a replacement for metamail. reformime comes within the
maildrop package. ./configure looks first for reformime, therefore if
it's installed, AMaViS will use it.
Or if pssible use AMaViS-Perl instead, which uses a Perl module for
MIME handling.
4. Acknowledgment
I would like to thank Craig Baird who first reported this problem to me
and helped to track it down.
5. References
metamail can be found at ftp://thumper.bellcore.com/pub/nsb/
reformime, part of the maildrop package, can be found at
http://www.flounder.net/~mrsam/maildrop/
To checkout the latest CVS version of AMaViS please visit
http://sourceforge.net/projects/amavis
6. Revision History
07/27/2000: initial release
============================================================================
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O
yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB
RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o
pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx
JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4
g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8
x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ
+U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv
0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl
cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE
AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ
AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX
VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/
g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r
UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V
IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe
e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E
K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r
IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ
EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX
qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl
PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45
eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS
FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz
uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL
FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN
IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo
nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii
5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw
2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR
3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM
UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb
dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S
fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA
BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ
VrZ22GYrSJJn3sNjQKAHd3w=
=Fsd9
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5gFSNmxoFTBO0QHkRAs09AKCQSuoyNUI7ysM0FgpYQX2bCptQJACgs/CW
VBx1/pSZY0+ITGUDnmJ0p1A=
=0wBK
-----END PGP SIGNATURE-----
--
Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de
Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/
Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
|