[cvs] SF.net SVN: bogofilter:[6981] trunk
Fast Bayesian spam filter along lines suggested by Paul Graham
Brought to you by:
m-a
From: <m-...@us...> - 2012-12-03 22:45:28
|
Revision: 6981 http://bogofilter.svn.sourceforge.net/bogofilter/?rev=6981&view=rev Author: m-a Date: 2012-12-03 22:45:21 +0000 (Mon, 03 Dec 2012) Log Message: ----------- Add bogofilter-SA-2012-01 Modified Paths: -------------- trunk/bogofilter/doc/Makefile.am trunk/web/security/index.html Added Paths: ----------- trunk/bogofilter/doc/bogofilter-SA-2012-01 trunk/web/security/bogofilter-SA-2012-01 Modified: trunk/bogofilter/doc/Makefile.am =================================================================== --- trunk/bogofilter/doc/Makefile.am 2012-12-03 22:24:25 UTC (rev 6980) +++ trunk/bogofilter/doc/Makefile.am 2012-12-03 22:45:21 UTC (rev 6981) @@ -39,6 +39,7 @@ bogofilter-SA-2002-01 bogofilter-SA-2004-01 \ bogofilter-SA-2005-01 bogofilter-SA-2005-02 \ bogofilter-SA-2010-01 \ + bogofilter-SA-2012-01 \ integrating-with-postfix \ integrating-with-qmail \ programmer/OS2/configure.os2 \ Added: trunk/bogofilter/doc/bogofilter-SA-2012-01 =================================================================== --- trunk/bogofilter/doc/bogofilter-SA-2012-01 (rev 0) +++ trunk/bogofilter/doc/bogofilter-SA-2012-01 2012-12-03 22:45:21 UTC (rev 6981) @@ -0,0 +1,89 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +bogofilter-SA-2012-01 + +Topic: heap corruption overrun in bogofilter/bogolexer + +Announcement: bogofilter-SA-2012-01 +Writer: Matthias Andree +Version: 1.0 +CVE ID: CVE-2012-5468 +Announced: 2012-12-03 +Category: vulnerability +Type: out of bounds write through invalid input +Impact: heap corruption, application crash +Credits: Julius Plenz (FU Berlin, Germany) +Danger: medium +URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01 + +Affected: bogofilter <= 1.2.2 + SVN checkouts before 2012-10-19 UTC (-r6972) + +Not affected: bogofilter 1.2.3 (r6973) and newer + +1. Background +============= + +Bogofilter is a software package for classifying a message as spam or +non-spam. It uses a data base to store words and must be trained +which messages are spam and non-spam. It uses the probabilities of +individual words for classifying the message. + +Note that the bogofilter project is issuing security announcements only +for current "stable" releases, and not necessarily for past "stable" +releases. + +2. Problem description +====================== + +Julius Plenz figured out that bogofilter's/bogolexer's base64 could +overwrite heap memory in the character set conversion in certain +pathological cases of invalid base64 code that decodes to incomplete +multibyte characters. + +3. Impact +========= + +Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash. + +4. Solution +=========== + +Upgrade your bogofilter to version 1.2.3 (or a newer release). + +bogofilter is available from SourceForge: +<https://sourceforge.net/project/showfiles.php?group_id=62265> + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2012 by Matthias Andree, <mat...@gm...>. +Some rights reserved. + +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of bogofilter-SA-2012-01 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAlC9KosACgkQvmGDOQUufZUxXwCfdAbd4IgFVkuWmH7z65Wy1TT1 +SiAAoJRLEwWzYXv81dgdtR4jg7uHDrLQ +=gQie +-----END PGP SIGNATURE----- Added: trunk/web/security/bogofilter-SA-2012-01 =================================================================== --- trunk/web/security/bogofilter-SA-2012-01 (rev 0) +++ trunk/web/security/bogofilter-SA-2012-01 2012-12-03 22:45:21 UTC (rev 6981) @@ -0,0 +1,89 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +bogofilter-SA-2012-01 + +Topic: heap corruption overrun in bogofilter/bogolexer + +Announcement: bogofilter-SA-2012-01 +Writer: Matthias Andree +Version: 1.0 +CVE ID: CVE-2012-5468 +Announced: 2012-12-03 +Category: vulnerability +Type: out of bounds write through invalid input +Impact: heap corruption, application crash +Credits: Julius Plenz (FU Berlin, Germany) +Danger: medium +URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01 + +Affected: bogofilter <= 1.2.2 + SVN checkouts before 2012-10-19 UTC (-r6972) + +Not affected: bogofilter 1.2.3 (r6973) and newer + +1. Background +============= + +Bogofilter is a software package for classifying a message as spam or +non-spam. It uses a data base to store words and must be trained +which messages are spam and non-spam. It uses the probabilities of +individual words for classifying the message. + +Note that the bogofilter project is issuing security announcements only +for current "stable" releases, and not necessarily for past "stable" +releases. + +2. Problem description +====================== + +Julius Plenz figured out that bogofilter's/bogolexer's base64 could +overwrite heap memory in the character set conversion in certain +pathological cases of invalid base64 code that decodes to incomplete +multibyte characters. + +3. Impact +========= + +Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash. + +4. Solution +=========== + +Upgrade your bogofilter to version 1.2.3 (or a newer release). + +bogofilter is available from SourceForge: +<https://sourceforge.net/project/showfiles.php?group_id=62265> + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2012 by Matthias Andree, <mat...@gm...>. +Some rights reserved. + +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of bogofilter-SA-2012-01 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAlC9KosACgkQvmGDOQUufZUxXwCfdAbd4IgFVkuWmH7z65Wy1TT1 +SiAAoJRLEwWzYXv81dgdtR4jg7uHDrLQ +=gQie +-----END PGP SIGNATURE----- Modified: trunk/web/security/index.html =================================================================== --- trunk/web/security/index.html 2012-12-03 22:24:25 UTC (rev 6980) +++ trunk/web/security/index.html 2012-12-03 22:45:21 UTC (rev 6981) @@ -21,31 +21,36 @@ <h1>Bogofilter security information</h1> <p>These bogofilter vulnerabilities became known to date (newest - first):</p> + first; bogofilter 1.2.3 fixes all of these):</p> <ul> <li><a + href="bogofilter-SA-2012-01">bogofilter-SA-2012-01/CVE-2012-5468:</a> + bogofilter/bogolexer heap buffer overrun with base64 input that + decodes to invalid multi-byte characters (versions up to and + including 1.2.2). + <li><a href="bogofilter-SA-2010-01">bogofilter-SA-2010-01/CVE-2010-2494:</a> bogofilter/bogolexer heap buffer underrun (1 byte) with invalid - base64 input (versions up to and including 1.2.1)</li> + base64 input (versions up to and including 1.2.1).</li> <li><a href= "bogofilter-SA-2005-02">bogofilter-SA-2005-02/CVE-2005-4592:</a> bogofilter/bogolexer heap buffer overrun with words > 16 - kBytes (version 0.96.2)</li> + kBytes (version 0.96.2).</li> <li><a href= "bogofilter-SA-2005-01">bogofilter-SA-2005-01/CVE-2005-4591:</a> bogofilter/bogolexer heap buffer overrun with invalid input - sequences (0.93.5 ≤ versions ≤ 0.96.2)</li> + sequences (0.93.5 ≤ versions ≤ 0.96.2).</li> <li><a href= "bogofilter-SA-2004-01">bogofilter-SA-2004-01/CVE-2004-1007: rfc2047crash:</a> RFC-2047 decoding vulnerability (0.17.4 ≤ - versions ≤ 0.92.7)</li> + versions ≤ 0.92.7).</li> <li><a href="bogofilter-SA-2002-01">bogofilter-SA-2002-01:</a> bogopass: contributed script insecure temporary file handling - (version 0.9.0.4)</li> + (version 0.9.0.4).</li> </ul> </body> </html> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |