You can subscribe to this list here.
2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(5) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
(2) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2001 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(2) |
Jul
(4) |
Aug
(3) |
Sep
|
Oct
(1) |
Nov
(5) |
Dec
|
2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
(3) |
Sep
(1) |
Oct
(3) |
Nov
(2) |
Dec
|
2003 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
|
May
(2) |
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
2004 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
From: Rainer L. <li...@su...> - 2001-11-23 12:53:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 23/11/2001 affected version(s): AMaViS-0.2.1, if reformime is used amavis-perl/amavisd is _NOT_ affected Vulnerability Type: eMail worm W32/Aliz may not be detected in all cases Priority: urgent Solution: upgrade to amavis-perl/amavisd use ripMIME instead Author: Rainer Link <li...@su...> Lars Hecking <lhe...@us...> Advisory ID: ASA-2001-1 Status: author of reformime contacted - no reply yet - ---------------------------------------------------------------------------- 1. Problem description AMaViS uses reformime to split a eMail message into parts, i.e. the mail body and the attachment file(s). The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked by default. reformime is not able to handle any message where the mail header contains a MIME Content-Type header followed by whitespace indented header lines, e.g. Content-Type: multipart/mixed; boundary="bound" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300 Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known virus/worm will be detected by the used virus scanner(s). 2. Impact It is possible that the W32/Aliz worm is not detected and an infected eMail is delivered to the user. NOTE: metamail is able to handle such mails correctly, but fails to handle multipart/alternative messages (in some cases?). Please see the AMaViS Security Announcement 2000-1 for details. It seems only ripMIME currently works in both cases, too. 3. Solution We strongly recommend to upgrade to amavis-perl/amavisd, as the development of AMaViS 0.2.x branch has been discontinued since July, 2001 (http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2) As upgrading could be a big step which takes some time, please use the following workaraound/fix: 1. Grab the latest ripMIME from http://www.pldaniels.com/ripmime/#downloads 2. Install it 3. Open /usr/sbin/scanmails in your favorite editor and 3.1 search for the line metamail=<path/binary> in the configuration section of the scanmails script. Change this to the location of ripmime, i.e. to metamail=/usr/local/bin/ripmime 3.2 Search for the following line ${metamail} -x ${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1 Change this to ${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail > /dev/null 2>&1 4. Save the file 5. Generate a test message with the EICAR Test-File-Virus (http://www.eicar.com/anti_virus_test_file.htm) to check if ripMIME is configured correctly within the scanmails script. 4. Acknowledgement We would like to thank Ger Donohue, Mark Martinec and Enrico Binder for reporting this problem to us and everyone who send us mail samples to reproduce it. 5. References http://www.linux.ie/pipermail/ilug/2001-November/039609.html http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&at id=106006 http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&atid=106006 http://sourceforge.net/tracker/index.php?func=detail&aid=484522&group_id=6006&atid=106006 http://marc.theaimsgroup.com/?t=100643616600009&w=2&r=1 http://marc.theaimsgroup.com/?l=amavis-user&m=100644967914633&w=2 http://www.amavis.org/security/asa-2000-1.txt http://www.amavis.org/ 6. Revision History 22/11/2001: Initial release 23/11/2001: Solution section updated Re-issued as the script is /usr/sbin/scanmails =========================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE7/ka2mxoFTBO0QHkRAg4sAJ0RBTgppz2C4buHkPyW01r9NEhDKQCdH877 A300m7ulHqErg4k9bDTf/uE= =a9xG -----END PGP SIGNATURE----- -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2001-11-23 12:50:52
|
On Fri, 23 Nov 2001, Rainer Link wrote: > 3. Open /usr/sbin/amavis in your favorite editor and This should be /usr/sbin/scanmails of course! Thanks to Christian for pointing this out. I'm sorry. To avoid confusion, I'll re-issue this ASA. best regards, Rainer Link (SuSE Labs) -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2001-11-23 12:01:43
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 23/11/2001 affected version(s): AMaViS-0.2.1, if reformime is used amavis-perl/amavisd is _not_ affected Vulnerability Type: eMail worm W32/Aliz may not be detected in all cases Priority: urgent Solution: upgrade to amavis-perl/amavisd use ripMIME instead Author: Rainer Link <li...@su...> Lars Hecking <lhe...@us...> Advisory ID: ASA-2001-1 Status: author of reformime contacted - no reply yet - ---------------------------------------------------------------------------- 1. Problem description AMaViS uses reformime to split a eMail message into parts, i.e. the mail body and the attachment file(s). The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked by default. reformime is not able to handle any message where the mail header contains a MIME Content-Type header followed by whitespace indented header lines, e.g. Content-Type: multipart/mixed; boundary="bound" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300 Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known virus/worm will be detected by the used virus scanner(s). 2. Impact It is possible that the W32/Aliz worm is not detected and an infected eMail is delivered to the user. NOTE: metamail is able to handle such mails correctly, but fails to handle multipart/alternative messages (in some cases?). Please see the AMaViS Security Announcement 2000-1 for details. It seems only ripMIME currently works in both cases, too. 3. Solution We strongly recommend to upgrade to amavis-perl/amavisd, as the development of AMaViS 0.2.x branch has been discontinued since July, 2001 (http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2) As upgrading could be a big step which takes some time, please use the following workaraound/fix: 1. Grab the latest ripMIME from http://www.pldaniels.com/ripmime/#downloads 2. Install it 3. Open /usr/sbin/amavis in your favorite editor and 3.1 search for the line metamail=<path/binary> in the configuration section of the amavis script. Change this to the location of ripmime, i.e. to metamail=/usr/local/bin/ripmime 3.2 Search for the following line ${metamail} -x ${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1 Change this to ${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail > /dev/null 2>&1 4. Save the file 5. Generate a test message with the EICAR Test-File-Virus (http://www.eicar.com/anti_virus_test_file.htm) to check if ripMIME is configured correctly within the amavis script. 4. Acknowledgement We would like to thank Ger Donohue, Mark Martinec and Enrico Binder for reporting this problem to us and everyone who send us mail samples to reproduce it. 5. References http://www.linux.ie/pipermail/ilug/2001-November/039609.html http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&at id=106006 http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&atid=106006 http://sourceforge.net/tracker/index.php?func=detail&aid=484522&group_id=6006&atid=106006 http://marc.theaimsgroup.com/?t=100643616600009&w=2&r=1 http://marc.theaimsgroup.com/?l=amavis-user&m=100644967914633&w=2 http://www.amavis.org/security/asa-2000-1.txt http://www.amavis.org/ 6. Revision History 22/11/2001: Initial release 23/11/2001: Solution section updated =========================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE7/jnnmxoFTBO0QHkRAm3rAJ9TlmapDonb1JDdgUgGypgpPH5FwQCePPJs AH0hCTzC9OEwOuC1ish6BDI= =X+9e -----END PGP SIGNATURE----- -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2001-10-29 23:24:31
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! FYI, updated RPMs of amavis-sendmail and amavis-postfix for SuSE Linux 7.3 are available. I'd suggest using the YOU (YaST Online Update), but grabing them from our ftp-server (ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/) and installing them works, of course, too. This update is recommend. Sorry for any inconvenience. best regards, Rainer Link - -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE73eVsmxoFTBO0QHkRArgoAJ0dlPzFABoFF18vppwlzIOYTiCzvQCfQLs6 kaL+8uv3ZhWhXbn6Rheg4yQ= =b7ya -----END PGP SIGNATURE----- |
From: Rainer L. <li...@su...> - 2001-08-24 18:29:07
|
Hi! I know some exim folks is subscribed here :-) I really appreciate any comments on using a system filter. What are the pros/cons compared to the current setup? Is it really needed to re-submit a message when using a system filter? (hopefully I will be able to give it a try myself over the weekend ...) Thanks a lot! best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) ---------- Forwarded message ---------- Date: Sat, 18 Aug 2001 00:38:57 +0900 From: SONE Takeshi <ts...@ts...> To: Dan Egli <eg...@ya...> Cc: ama...@li..., exi...@ex... Subject: Re: [AMaViS-user] exim system filter? On Thu, Aug 16, 2001 at 09:57:20AM -0600, Dan Egli wrote: > If you know how, go ahead and post it. In the mean time, directors and > routers work. I'm not an experienced Exim/AMaViS hacker, but my first attempt looks working ok. In the MAIN CONFIGURATION of exim.conf: # AMaViS filter message_filter = /etc/exim/amavis_filter message_filter_pipe_transport = amavis_pipe message_filter_user = amavis In the TRANSPORTS CONFIGURATION: # AMaViS filter pipe transport amavis_pipe: driver = pipe path = "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" current_directory = "/var/amavis" Finally, the system filter file, /etc/exim/amavis_filter is very simple: # Exim filter if $received_protocol is not "scanned-ok" then pipe "/usr/sbin/amavis <$sender_address> $recipients" endif (Also, I added amavis to trusted_user.) (I posted a mail from remote host to two remote recipients.) 2001-08-18 00:07:50 15XlDy-0001rn-00 <= ts...@ts... H=arndok.tsn.or.jp [202.217.183.35] U=mail P=esmtp S=678 id=200...@ts... 2001-08-18 00:07:50 15XlDy-0001rn-00 original recipients ignored (message_filter) 2001-08-18 00:07:51 15XlDz-0001ry-00 <= ts...@ts... U=amavis P=scanned-ok S=905 id=200...@ts... 2001-08-18 00:07:51 15XlDy-0001rn-00 => |/usr/sbin/amavis <$sender_address> $recipients <message filter> T=amavis_pipe 2001-08-18 00:07:51 15XlDy-0001rn-00 Completed 2001-08-18 00:07:51 15XlDz-0001ry-00 == ts...@cm... T=remote_smtp defer (-1): domain matches queue_smtp_domains, or -odqs set 2001-08-18 00:07:51 15XlDz-0001ry-00 == ts...@ts... T=remote_smtp defer (-1): domain matches queue_smtp_domains, or -odqs set 2001-08-18 00:08:01 Start queue run: pid=7202 2001-08-18 00:08:01 15XlDz-0001ry-00 => ts...@ts... R=lookuphost T=remote_smtp H=ki-ki.tsn.or.jp [202.217.183.34] 2001-08-18 00:08:07 15XlDz-0001ry-00 => ts...@cm... R=lookuphost T=remote_smtp H=kky.cma.co.jp [202.217.183.2] 2001-08-18 00:08:07 15XlDz-0001ry-00 Completed 2001-08-18 00:08:07 End queue run: pid=7202 (This Exim is configured to defer all remote SMTP connections, queue_smtp_domains = *). I would like comments from serious Exim and/or AMaViS hackers. Thanks. -- Takeshi _______________________________________________ AMaViS-user mailing list AMa...@li... http://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 |
From: Rainer L. <li...@su...> - 2001-08-16 15:39:00
|
Hi! If you're using the sendmail relay hack (successfully) would you be kind enough to send me your configuration, i.e. - which version of amavis _exactly_ - which version of sendmail - permissions of /usr/sbin/sendmail, /var/spool/mqamavis, /var/spool/mqueue, /var/amavis, /var/virusmails - _all_ changes to your sendmail config (sendmail.cf), such as Mamavis (or RunAs, DefaultUser stuff, if used) - which OS exactly (i.e SuSE Linux 7.0, RedHat 7.0, Sun Solaris 8) Background: I used the sendmail relay hack in the past successfully on my SuSE systems with sendmail 8.9.3 and 8.11.x (amavis 0.2.1 and amavis-perl-10, IIRC), before I switched to sendmail-milter and postfix. The configuration I used is described in README.sendmail (esp. the example configuration section). But, well, it's a hack, and a lot of ppl complained in the past about it ("it simply does not work - I've tried several configs/permissions"). Unfortunately, my time is simply too limited to dig into it :-( Either I/we can manage to improve README.sendmail, so ppl are able to get it working or I'll remove the sendmail relay hack completly for the next release. Thanks a lot for your participation and input! best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Lars H. <lhe...@us...> - 2001-08-13 13:00:50
|
Hi all. We have now set up a repository for contributed software, patches etc. It can be reached at http://www.amavis.org/contrib/ (only), and there is also a link to it from the main page. No funky html index page yet, but I would like to ask everyone to review 0README. If some of the software is outdated, but a web page is available (Furio?), I would simple add the link instead of keeping an up-to-date copy. All contributions are welcome! |
From: Rainer L. <li...@su...> - 2001-07-16 17:24:17
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The development of the AMaViS 0.2.x branch (the shell script version) has been officially discontinued, as no AMaViS Developer works on it and/or uses it. Moreover, our time is simply too limited to work on several branches. Therefore the last official release is AMaViS 0.2.1, although I was working on an AMaViS 0.2.2 release month ago, which is checked into CVS. Please see http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/amavis/amavis/ChangeLog?rev=1.18&content-type=text/vnd.viewcvs-markup&only_with_tag=MAIN for details. NOTE: The CVS stuff is broken, esp. the sendmail part. I have not had the time in the past months to fix it. If anyone is willing to take over maintainership, please raise your hand :-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE7UxRzmxoFTBO0QHkRApkSAKCF+3fV8AV+lYL6eU/YMmLM1KbMzQCfZ6yl TcNe6F7AmC1FAXIuMrwna68= =8xRh -----END PGP SIGNATURE----- -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2001-07-15 14:54:52
|
amavisd-smtp is a spin-off from the regular amavisd-branch. It was originally developed for a SuSE Business Product, but the decision was not to use amavisd-smtp for this product. Therefore I've decided to release it to the public yet, although it's not that well tested and some planned features are missing (and some "FIXMEs" are still in the code). The requirements for amavisd-smtp were: * full support of postfix content filtering API (advanced content filtering example) - amavisd-smtp receives and sends mail via SMTP. * a real config-file (and not a perl-script *g*) - amavisd.conf is now in Ini-style format * virus scanner code is included at run-time (required to be able to change used virus-scanners via web interface) * web-based administration, for this purpose it comes with amavisconf (similar to postconf). The admin interface is not included, as it depends (havily) on stuff developed by SuSE and it's not GPL'ed. What's missing (originally on my TODO list): * content filtering support * graphical stats, ie.e for Top 10 virusses * more modular design As amavisd-smtp is no longer an official SuSE project, my time will be somewhat limited to work on it (other stuff on my general TODO list has a higher prio) and I'm not sure if I'll add the missing features mentioned above. amavisd-smtp is in sync with the latest amavisd-snapshot release. Please keep in mind this is an _EXPERIMENTAL_ release - anyone is welcome "to play with it". Please _DO NOT_ use it for production environments! For details please read the ChangeLog within the package. Instruction details for postfix can be found in README.postfix. You can grab the source tarball at ftp://ftp.suse.com/pub/people/link/amavis/amavisd-smtp/ Currently no (S)RPMs available yet. Feedback is welcome. Have fun :-) best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2001-07-14 18:34:23
|
New (S)RPMs of the new amavisd-snapshot for sendmail/postfix are available at: ftp://ftp.suse.com/pub/people/link/amavis/SuSE/7.2/sendmail/ ftp://ftp.suse.com/pub/people/link/amavis/SuSE/7.2/postfix/ Please read the provided INSTALL.TXT and README.SuSE within the package(s) carefully. Feedback is welcome, any packaging issue should be reported directly to me. Thanks. If you do not use H+B EDV AntiVir, please edit /etc/amavisd.conf. Have fun :-) best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Lars H. <lhe...@us...> - 2001-07-14 17:51:33
|
The second public snapshot of amavisd is now available. amavisd is the daemonised version of amavis-perl. http://www.amavis.org/ http://sourceforge.net/projects/amavis/ amavis-snapshot-20010714 * bugfix for daemon parent blocking * support for sendmail 8.12 milter * proper handling of lha archives created under DOS * drop requirement for file command to be brief NB.: amavis still requires a file command that recognises TNEF files! * decompress zip files only the compression method is supported; leave other archives to the virus scanner (this is open to debate) |
From: Rainer L. <li...@su...> - 2001-06-07 13:07:41
|
Hi! A known bugs list / FAQ for amavis-perl & amavisd is available at http://www.amavis.org/amavis-faq.php3 Please check this page first before posting to amavis-user. Any contributions to this page are welcome. Thanks! best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Rainer L. <li...@su...> - 2001-06-07 12:24:24
|
[ NOTE: http://www.amavis.org/amavis-user-guidelines.php3 ] Some guidelines for the amavis-user mailing list. Loosely based on http://www.openbsd.org/mail.html. Netiquette ---------- Be considerate of other subscribers on the mailing list. Plain text, 72 characters per line Many subscribers read their mail on text-based mailers (mail(1), emacs) and they find HTML-formatted messages, or lines that stretch beyond 72 characters often unreadable. Do your homework before you post If you have an installation question, make sure that you have read the relevant documents such as the README and README.* text files in the top level directory of the source distribution. The mailing list archive is also a valuable resource. Include a useful Subject line Including a relevant Subject in the message will ensure that more people actually read what you've written. Also, avoid Subject lines with excessive capitalization. Trim your signature Keep the signature lines at the bottom of your mail to a reasonable length. Posts are rarely critical enough to warrant a PGP signature, and those automatic address cards are merely annoying. Stay on topic Please keep the subject of the post relevant to users of AMaViS. Technical --------- The active AMaViS development team is quite small. To make sure that all problem reports can be processed efficiently, please provide all necessary information in the initial report: - version of amavis - version of MTA - MTA config details - log file evidence - other useful information, depending on the nature of the problem (OS, AV software, configure output etc.) Please do not send private email to the AMaViS developers. Even if you think the request or information is hardly relevant for the mailing list, others might find it useful. |
From: Lars H. <lhe...@us...> - 2001-04-09 12:35:48
|
http://www.amavis.org/ http://sourceforge.net/projects/amavis/ |
From: Rainer L. <li...@su...> - 2000-12-11 21:04:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 12/11/2000 affected version(s): AMaViS-Perl below AMaViS-Perl-10 Vulnerability Type: script viruses (i.e. vbs worms) may not be detected Priority: urgent Solution: upgrade to AMaViS-Perl-10 Author: Lars Hecking <lhe...@nm...> Rainer Link <li...@su...> Advisory ID: ASA-2000-5 - --------------------------------------------------------------------------- 1. Problem description AMaViS-Perl uses a Perl module to decode (uudecode/xxdecode or binhex) every file which is recognised by file(1) as ASCII, text, uuencode, xxencode or binhex. If a (ASCII, text) file is _not_ encoded, the resulting file is zero bytes long and the original file will be deleted as usual as AMaViS-Perl fails to detect this error case. Therefore the virus itself will be deleted. 2. Impact Obvious. This bug can let script viruses go undetected. 3. Solution Upgrade to AMaViS-Perl-10. 4. Acknowledgement This bug was discovered accidentally by Lars Hecking. 5. References https://sourceforge.net/projects/amavis/ http://www.amavis.org/ 6. Revision History 12/11/2000: initial release =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE6NTs/mxoFTBO0QHkRAqRpAJ9MlL/MYBXBoHQ7zMgGc57BVTNdGQCgoKed EuhcY4RJI8U7AEG9IXem77k= =UWlO -----END PGP SIGNATURE----- -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: Lars H. <lhe...@us...> - 2000-12-07 18:46:58
|
A potential hole for script viruses as well as a few problems with configure were fixed. Details at http://sourceforge.net/project/shownotes.php?release_id=17815 |
From: Lars H. <lhe...@us...> - 2000-11-24 11:35:03
|
Go here for details: http://sourceforge.net/project/shownotes.php?release_id=16807 |
From: Rainer L. <li...@su...> - 2000-10-31 17:43:47
|
Hi! Finally AMaViS 0.2.1 is out. We fixed the improper handling of TNEF files, added some hints for M4 stuff (not for the sendmail relay hack) and fixed those warning messages which appeared in the qmail log. If a virus scanner seems to be broken, it's reported now in the log file. We've updated the documentation, too. For details please check the ChangeLog file. As a personal note, I would like to thank everyone who feeded us with patches, bug reports and feedback. Last but not least SuSE Germany for funding my work. Btw, if anyone is interested in translating the documentation into his native language, please drop me a note. best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts li...@su... | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) |
From: <lhe...@us...> - 2000-10-24 18:18:47
|
As the subject says. See http://sourceforge.net/project/shownotes.php?group_id=6006&release_id=14474 for details. |
From: Rainer L. <li...@su...> - 2000-09-23 19:02:24
|
Hi everyone! We just released AMaViS 0.2.1-pre3. It should fix some bugs reported to us in the past weeks and hopefully does not break anything. Here is the ChangeLog ... 2000-09-23 Rainer Link <li...@su...> * README.scanners: Updated for Sophos sweep 3.37. Added update scripts provided by AMaViS users added section "return codes" (cut&paste out of scanmails.in) * README.exim: fixed some typos * README.sendmail: added example configuration for sendmail 8.11 * README.reformime: Updated * README.postfix: Updated * doc/: amavis.html, amavis.txt: * updated (broken?) links so far * documentation does not actually match 0.2.1, yet * still on TODO: - describe links provided - add to "in the press" - fix all that is still missing - point to various README.* * doc/amavis.png: new logo in PNG format * doc/amavis.gif: replaced amavis.gif with amavis.png this image does no longer contain a version number * configure.in: bugfix: AvpDaemonTst was not detected by configure configure stopps if the "file" binary is not installed Added hint to read README.metamail/README.reformime if neither metamail nor reformime is installed added check if metamail 1.0 or below is used * src/scanmails/scanmails.in: improved detection for uuencoded mails (if send inline) moved information about return values for the used scanners (moved to README.scanners) improved unpacking stuff a bit extract uuencoded file(s) if send inline improved handling of self-extracting files a bit improved handling of uuencoded files a bit check the return value of AvpDaemonClient for 4 and 5 fixed a minor issue with postfix Added -i to sendmail relay and postfix when delivering back the eMail to avoid potential mail loss improved postfix support * NEWS: updated * README: updated to release 0.2.1-pre3 * Released 0.2.1-pre3 best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |
From: Rainer L. <li...@su...> - 2000-08-02 20:12:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 08/02/2000 affected version(s): AMaViS-Perl AMaViS-0.2.1-pre1 / -pre2 AMaViS-0.2.0-pre6-clm-rl-8-12-06-2000 and later Vulnerability Type: AMaViS can lose parts of email messages Priority: urgent Solution: apply patch Author: Lars Hecking <lhe...@nm...> Rainer Link <li...@su...> Advisory ID: ASA-2000-4 - --------------------------------------------------------------------------- 1. Problem description In some configurations, e.g. relay type setups, scanmails (AMaViS) and amavis (AMaViS-Perl) is using sendmail or other MTA's sendmail wrappers to reinject scanned emails back into the mail system. If an email message contains a single dot on a line by itself, the sendmail program/wrapper will truncate that message at the dot, as amavis/scanmails fails to call sendmail with the "IgnoreDots" cmd line option (-i). In detail: AMaViS (scanmails) used with the following MTAs: * sendmail, scanmails is called via Mlocal: NOT affected * sendmail (relay setup): affected * postfix: affected * exim: NOT affected AMaViS-Perl (amavis) used with the following MTAs: * sendmail, amavis is called via Mlocal: NOT affected * postfix (relay setup): affected * postfix with procmail: NOT affected * qmail: NOT affected 2. Impact Obvious. All parts of an email message after and including a solitary dot are lost. This problem affects all setups where mail leaves amavis through sendmail or a sendmail-compatible wrapper. In particular, all dual-postfix setups as described in AMaViS-Perl's README.postfix are affected. The same is valid to AMaViS's README.postfix and AMaViS's README.sendmail. 3. Solution 3.1 AMaViS-Perl Locate the following code in the amavis-perl script if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); } else { @LDAARGS = (); } and change it to if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); unshift(@LDAARGS, "-oi "); } else { @LDAARGS = (); } 3.2 All non-perl versions of AMaViS Apply the attached patch to the scanmails script. It should apply ok with more or less fuzz. 4. Acknowledgement I discovered this by accident after receiving a mail message on the postfix-users mailing list which quoted more parts of another message than I remembered getting. Rainer Link provided the patch for scanmails. 5. References https://sourceforge.net/projects/amavis/ http://amavis.org/ 6. Revision History 08/02/2000: initial release 08/02/2000: some changes =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5iH6/mxoFTBO0QHkRAmdwAJ4lIXUU4mpYaO8K4PNs5y1YBQ8Z7QCggJim XPEUOucJ0sDOST4scst4dVU= =Laao -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |
From: Lars H. <lhe...@nm...> - 2000-08-02 18:33:44
|
=========================================================================== AMaViS Security Announcement Date: 08/02/2000 affected version(s): all releases of AMaViS including amavis-perl Vulnerability Type: amavis can lose parts of email messages Priority: urgent Solution: apply patch Author: Lars Hecking <lhe...@nm...> Advisory ID: ASA-2000-4 --------------------------------------------------------------------------- 1. Problem description In some configurations, e.g. relay type setups, scanmails/amavis is using sendmail or other MTA's sendmail wrappers to reinject scanned emails back into the mail system. If an email message contains a single dot on a line by itself, the sendmail program/wrapper will truncate that message at the dot, as amavis/scanmails fails to call sendmail with the "IgnoreDots" cmd line option (-i). 2. Impact Obvious. All parts of an email message after and including a solitary dot are lost. This problem affects all setups where mail leaves amavis through sendmail or a sendmail-compatible wrapper. In particular, all dual-postfix setups as described in amavis-perl's README.postfix are affected. 3. Solution 3.1 amavis-perl Locate the following code in the amavis-perl script if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); } else { @LDAARGS = (); } and change it to if ($LDA eq "$sendmail_wrapper") { unshift(@LDAARGS, "-f"); unshift(@LDAARGS, "-oi "); } else { @LDAARGS = (); } 3.2 All non-perl versions of amavis Apply the attached patch to the scanmails script. It should apply ok with more or less fuzz. 4. Acknowledgement I discovered this by accident after receiving a mail message on the postfix-users mailing list which quoted more parts of another message than I remembered getting. Rainer Link provided the patch for scanmails. 5. References https://sourceforge.net/projects/amavis/ 6. Revision History 08/02/2000: initial release =========================================================================== |
From: Rainer L. <li...@su...> - 2000-07-29 17:45:37
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 07/29/2000 affected version(s): AMaViS 0.2.1-pre1 if metamail is used Vulnerability Type: AMaViS is configured with the wrong switches for metamil / no mail splitting no virus detection possible Priority: urgent Solution: checkout latest sources from CVS or download at least configure.in from cvsweb.amavis.org Author: Rainer Link <li...@su...> Advisory ID: ASA-2000-3 - --------------------------------------------------------------------------- 1. Problem description AMaViS 0.2.1-pre1 uses either metamail or reformime to split an eMail message in its parts, which will be saved in /var/tmp/scanmails<pid>/unpacked Due to a stupid bug AMaViS will use the run-time switches for reformime although metamail is used. Here is a short explanation why this happens: ./configure will detect metamail, create config.cache and create src/scanmails/scanmails correctly, this means metamail is used and the correct run-time flags for metamail, too. make calls ./configure --recheck, configure uses for speed reasons the cached variables, but the check if metamail or reformime is used fails now. Therefore src/scanmails/scanmails is created for use with metamail *but* with the run-time flags for reformime. 2. Impact As AMaViS (scanmails) uses the wrong run-time parameters, a mail is not splitted and /var/tmp/scanmails<pid>/unpacked is *always* empty. Therefore no virus will be detected at all. 3. Solution Either checkout the latest sources from our CVS server at http://sourceforge.net/projects/amavis/ or download at least configure.in from http://cvsweb.amavis.org/. The direct link is http://cvs.sourceforge.net/cgi-bin/cvsweb.cgi/~checkout~ /amavis/configure.in?rev=1.9&content-type=text/plain&cvsroot=amavis If you download only configure.in, please do a ./reconf (it may give you three warnings, but they can be ignored). Remove config.cache, if this file does exits. Then re-run ./configure with the configure options you need and do a make && make install. NOTE: After every update of either AMaViS or used virus scanner(s), please test if everything works correctly be sending a mail with the EICAR testfile virus, which can be found at http://www.eicar.com/anti_virus_test_file.htm 4. Acknowledgment I would like to thank Tilo Lutz who first reported to us that no virus was discovered when metamail is used. As this was my bug, I apologize for any inconveniences. 5. References 6. Revision History 07/29/2000: initial release =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5gxczmxoFTBO0QHkRAix/AJ9zkZtogMbgXrQfOHGj9MF/Ug4rhwCfa+cU ZsYjC4CCJuyuwnjLkvPFLR8= =8ZNt -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |
From: Rainer L. <li...@su...> - 2000-07-27 15:31:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 07/27/2000 affected version(s): AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 and later if reformime below 1.01 is used (AMaViS-Perl is NOT affected) Vulnerability Type: attacker could pass virus through AMaViS / Denial-of-Service attack against AMaViS Priority: urgent Solution: apply patch / update reformime Author: Rainer Link <li...@su...> Advisory ID: ASA-2000-2 - --------------------------------------------------------------------------- 1. Problem description AMaViS uses reformime, part of the maildrop package, to split eMail messages in its parts. reformime version below 1.0 (tested with 0.76b) overwrite files with the same file names. reformime version 1.0 tries to avoid overwritting files but a bug causes an endless loop. 2. Impact reformime below 1.0: an attacker can create an eMail message with two attachments with the same file name. The first file contains a virus, the second one is clean. reformime overwrites the first one with the second. Therefore no virus is detected and the mail will be delivered to user(s). reformime 1.0 tries to avoid clobbering of existing files but due to a bug it will end up in an endless loop. This could be used as a denial-of-service attack against AMaViS. 3. Solution Apply the provided patch for reformime 1.0. Or update to maildrop 1.01, which will be released soon according to the author. Or if possible use AMaViS-Perl instead, which uses a Perl module for MIME handling. 4. Acknowledgment This bug was discovered by Rainer Link. We would like to thank Sam Varshavchik, the author of maildrop, for providing a patch quickly. 5. References reformime, part of the maildrop package, can be found at http://www.flounder.net/~mrsam/maildrop/ 6. Revision History 07/27/2000: initial release =========================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5gFSamxoFTBO0QHkRAgLyAKC1i59LIB07e5V9r+wIg9kR3Dp6aQCfR3Nb p8/9+2qTYbOksmM+9uGIeuM= =bpQK -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |
From: Rainer L. <li...@su...> - 2000-07-27 15:28:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ========================================================================== AMaViS Security Announcement Date: 07/27/2000 affected version(s): all AMaViS releases using metamail, in detail all release versions up to 0.2.0-pre6 all release versions 0.2.0-pre6-clm up to 0.2.0-pre6-clm-rl-8 all CVS version before 0.2.0-pre6-clm-rl-8-04-07-2000 (AMaViS-Perl is NOT affected) Vulnerability Type: some eMail worms (i.e. KAKworm) may not be detected Priority: urgent Solution: update to latest CVS version, install reformime Author: Rainer Link <li...@su...> Advisory ID: ASA-2000-1 - --------------------------------------------------------------------------- 1. Problem description AMaViS uses metamail do split a eMail message in its parts, i.e. the mail body and the attachment file(s). The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked by default. As metamail is very old and as it seems not maintained anymore, it is not able to handle MIME multipart/alternative messages. Such a message contains a plain ASCII text body part and a HTML body part, which is created e.g. by Netscape Messanger if "Message Formatting" is set to "Send the message in plain text and HTML". Therefore /var/tmp/scanmails<pid>/unpacked is empty and no known virus/worm will be detected. 2. Impact It is possible that a known virus/worm is not detected and an infected eMail is delivered to the user. We got reports that this has happend with the KAKworm. 3. Solution Since AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 it is possible to use reformime as a replacement for metamail. reformime comes within the maildrop package. ./configure looks first for reformime, therefore if it's installed, AMaViS will use it. Or if pssible use AMaViS-Perl instead, which uses a Perl module for MIME handling. 4. Acknowledgment I would like to thank Craig Baird who first reported this problem to me and helped to track it down. 5. References metamail can be found at ftp://thumper.bellcore.com/pub/nsb/ reformime, part of the maildrop package, can be found at http://www.flounder.net/~mrsam/maildrop/ To checkout the latest CVS version of AMaViS please visit http://sourceforge.net/projects/amavis 6. Revision History 07/27/2000: initial release ============================================================================ - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDjaUVwRBACPlluFzjLsjxV4ynz41Zk1S2GLF1/U3xE2HNcfk+a2Ij6sH64O yPtBR9WX9x/QW3g9LnW86DHWgnh408D7jtd4/imJDyiNGqMregmkDjEWa6TIsXwB RlG/DRpFbfwc4yRqQPklcgCIH/KlxgkJ1QTezpltRiQBfpWZKOrA1tLGGwCgw4/o pU+RdnilbrDc6MZx7WQkzKED+QEUt4/++VyvPZjQCOmxFk4GpQZNP99D40eJFwyx JkRGVl4f1wAgi0Q3NSSJyl1j9qGxz0c8DmR1F0yJtyg8+fqpKomtg+lHasvELom4 g0cGjnjtwx7sgtga4BIxUUpWTZLkMftWQigWgwWp3e5b6RCfHTUxuOUtgBBmjQB8 x04ABACNTYjjBcUKJYzp3Hx8wz39MVznYl8KXuXHIGY0ccbPmv3J6zjXvSr4++AZ +U1qUSGJUyW0xpSWnsxHRI/qkiI5KPNbLYPFMbYjLHH2H5grjdnw7X71NAEW13Mv 0V9Fgs1mn93BkVn8V+U8vGPcgwTegcEWCe6V06HZD6Ep46W7drQnUmFpbmVyIEhl cm1hbm4gTGluayA8UmFpbmVyTGlua0BnbXguZGU+iFYEExECABYFAjjaUVwECwoE AwMVAwIDFgIBAheAAAoJEJsaBUwTtEB5iDoAoI+nE3VeD0gGtuaTHhLmKPA7rfmJ AKCf+H996kGJ65ZmqWsTrV2iuyqniIkBIgQQAQEADAUCONuGTwUDAeEzgAAKCRCX VPlSyTX7PUP3CACZG7hK9GMg7gL2pWs6ZEPC+ANUGh3KL5F/cYjngQJf+YABXvJ/ g8Up0voHooSq+lGQMxPZjK2sxLF/aOkmRW+r/uC1pxwbAOLgRRC/X33CVA+XhJ0r UvYJGHUjDRoe690vWkxyDDCVGVlsD3+5w7Ljsq0hoiRFF+32HyJzHY1bcC3d+W5V IPBze9bJvcDspJbCOXVc87d2tOfYR85mdOcsotNhAZJWtZvBkhj9xvxlu8BrAOUe e+1ZbeMNlrDnmMGMYc2kF4gSbAHfmYR9Zepng60s5rWktEUzlJoUDRPKI2FmNT3E K9dycZXhsdcDUnzAimm4MrvEn2pexSC2rE4NtCJSYWluZXIgSGVybWFubiBMaW5r IDxsaW5rQHN1c2UuZGU+iFUEExECABYFAjlosj0ECwoEAwMVAwIDFgIBAheAAAoJ EJsaBUwTtEB5yj0AniSu6k2wR6LF122b5aUVUwhXoHtlAJdMS/Gijbx8m4MI9thX qXp5azRNtClSYWluZXIgSGVybWFubiBMaW5rIDxSYWluZXIuTGlua0BzdXNlLmRl PohWBBMRAgAWBQI5aLJjBAsKBAMDFQMCAxYCAQIXgAAKCRCbGgVME7RAeWHEAJ45 eGd260EM04tUuIhh2fxI0RyhPwCfVU8nrwC7pbwj7Dsa07fvwE0soYW5Ag0EONpS FBAIAJoCSZEyxdupx95EPn8XPGV7ugg+5BMIDTA6J30HD78RQQkDQCBMTDLCcMpz uukxXByAUMUNpf8RlZEN9U582BjdPYNYRa4VP5QJbvpjC08YeWQs+sD3n0HT/ArL FGlC+rSf1vJoaKI2ggTlRV1L04yEhCEH9zQDPKjFH4aIci2IghOJB/xZaRF69khN IlifD8SglIQ9FcEhc5+sUIZdeu/+XVlgwgBc4XF7+W40PNZ4uXMhElbzGP5jqTdo nFS+AlV/OsElQ+ma4atZicfVjRaVTxovAl91ZeVr5v7XGvpvh3rmtOyP/pVYf4ii 5Y6nu8OFXGo4Bsx3FqSZkQ2jh3cAAwUIAICCSuAuPCYaKYA168gNDZjsadQNhCpw 2o7zsKpSmQ6hxd4aRQ1TO631nNDx2D+/ffk7ET5VT3n4gezUn2ITZHdrTk1GUpLR 3czoMZIBL6Eit9mEmRe1XZ/3Q5lEUZHm8wEqqIZPPVhxZAFXDBucQlPO1lFKd8rM UC+3+oU7RF9PpwzdQ+d/iMGmFMKXTH7o2qRV64cVMkWuMpMQARfA+i3YGPqqZfIb dlMHXJ0oA32+eTUqOTtucD64XvcYSUQQ1tsHeijvrHq71zLfL6t1Dhwt+JDRMz3S fDggxQs2oaB9Y+rxfbX7ajcHl0rc67sTTC+wDXIq+25FhnYPu+NV6kmIRgQYEQIA BgUCONpSFAAKCRCbGgVME7RAeTYdAKCifLnHBBVPhcSRRffljCryGujZJQCfYcrQ VrZ22GYrSJJn3sNjQKAHd3w= =Fsd9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5gFSNmxoFTBO0QHkRAs09AKCQSuoyNUI7ysM0FgpYQX2bCptQJACgs/CW VBx1/pSZY0+ITGUDnmJ0p1A= =0wBK -----END PGP SIGNATURE----- -- Rainer Link, SuSE GmbH, eMail: li...@su..., Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/ |