[cvs] SF.net SVN: bogofilter:[6981] trunk
Fast Bayesian spam filter along lines suggested by Paul Graham
Brought to you by:
m-a
Menu
▾
▴
[cvs] SF.net SVN: bogofilter:[6981] trunk
|
From: <m-...@us...> - 2012-12-03 22:45:28
|
Revision: 6981
http://bogofilter.svn.sourceforge.net/bogofilter/?rev=6981&view=rev
Author: m-a
Date: 2012-12-03 22:45:21 +0000 (Mon, 03 Dec 2012)
Log Message:
-----------
Add bogofilter-SA-2012-01
Modified Paths:
--------------
trunk/bogofilter/doc/Makefile.am
trunk/web/security/index.html
Added Paths:
-----------
trunk/bogofilter/doc/bogofilter-SA-2012-01
trunk/web/security/bogofilter-SA-2012-01
Modified: trunk/bogofilter/doc/Makefile.am
===================================================================
--- trunk/bogofilter/doc/Makefile.am 2012-12-03 22:24:25 UTC (rev 6980)
+++ trunk/bogofilter/doc/Makefile.am 2012-12-03 22:45:21 UTC (rev 6981)
@@ -39,6 +39,7 @@
bogofilter-SA-2002-01 bogofilter-SA-2004-01 \
bogofilter-SA-2005-01 bogofilter-SA-2005-02 \
bogofilter-SA-2010-01 \
+ bogofilter-SA-2012-01 \
integrating-with-postfix \
integrating-with-qmail \
programmer/OS2/configure.os2 \
Added: trunk/bogofilter/doc/bogofilter-SA-2012-01
===================================================================
--- trunk/bogofilter/doc/bogofilter-SA-2012-01 (rev 0)
+++ trunk/bogofilter/doc/bogofilter-SA-2012-01 2012-12-03 22:45:21 UTC (rev 6981)
@@ -0,0 +1,89 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bogofilter-SA-2012-01
+
+Topic: heap corruption overrun in bogofilter/bogolexer
+
+Announcement: bogofilter-SA-2012-01
+Writer: Matthias Andree
+Version: 1.0
+CVE ID: CVE-2012-5468
+Announced: 2012-12-03
+Category: vulnerability
+Type: out of bounds write through invalid input
+Impact: heap corruption, application crash
+Credits: Julius Plenz (FU Berlin, Germany)
+Danger: medium
+URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
+
+Affected: bogofilter <= 1.2.2
+ SVN checkouts before 2012-10-19 UTC (-r6972)
+
+Not affected: bogofilter 1.2.3 (r6973) and newer
+
+1. Background
+=============
+
+Bogofilter is a software package for classifying a message as spam or
+non-spam. It uses a data base to store words and must be trained
+which messages are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Note that the bogofilter project is issuing security announcements only
+for current "stable" releases, and not necessarily for past "stable"
+releases.
+
+2. Problem description
+======================
+
+Julius Plenz figured out that bogofilter's/bogolexer's base64 could
+overwrite heap memory in the character set conversion in certain
+pathological cases of invalid base64 code that decodes to incomplete
+multibyte characters.
+
+3. Impact
+=========
+
+Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash.
+
+4. Solution
+===========
+
+Upgrade your bogofilter to version 1.2.3 (or a newer release).
+
+bogofilter is available from SourceForge:
+<https://sourceforge.net/project/showfiles.php?group_id=62265>
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2012 by Matthias Andree, <mat...@gm...>.
+Some rights reserved.
+
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
+
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of bogofilter-SA-2012-01
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAlC9KosACgkQvmGDOQUufZUxXwCfdAbd4IgFVkuWmH7z65Wy1TT1
+SiAAoJRLEwWzYXv81dgdtR4jg7uHDrLQ
+=gQie
+-----END PGP SIGNATURE-----
Added: trunk/web/security/bogofilter-SA-2012-01
===================================================================
--- trunk/web/security/bogofilter-SA-2012-01 (rev 0)
+++ trunk/web/security/bogofilter-SA-2012-01 2012-12-03 22:45:21 UTC (rev 6981)
@@ -0,0 +1,89 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bogofilter-SA-2012-01
+
+Topic: heap corruption overrun in bogofilter/bogolexer
+
+Announcement: bogofilter-SA-2012-01
+Writer: Matthias Andree
+Version: 1.0
+CVE ID: CVE-2012-5468
+Announced: 2012-12-03
+Category: vulnerability
+Type: out of bounds write through invalid input
+Impact: heap corruption, application crash
+Credits: Julius Plenz (FU Berlin, Germany)
+Danger: medium
+URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01
+
+Affected: bogofilter <= 1.2.2
+ SVN checkouts before 2012-10-19 UTC (-r6972)
+
+Not affected: bogofilter 1.2.3 (r6973) and newer
+
+1. Background
+=============
+
+Bogofilter is a software package for classifying a message as spam or
+non-spam. It uses a data base to store words and must be trained
+which messages are spam and non-spam. It uses the probabilities of
+individual words for classifying the message.
+
+Note that the bogofilter project is issuing security announcements only
+for current "stable" releases, and not necessarily for past "stable"
+releases.
+
+2. Problem description
+======================
+
+Julius Plenz figured out that bogofilter's/bogolexer's base64 could
+overwrite heap memory in the character set conversion in certain
+pathological cases of invalid base64 code that decodes to incomplete
+multibyte characters.
+
+3. Impact
+=========
+
+Vulnerable bogofilter/bogolexer applications can corrupt their heap and crash.
+
+4. Solution
+===========
+
+Upgrade your bogofilter to version 1.2.3 (or a newer release).
+
+bogofilter is available from SourceForge:
+<https://sourceforge.net/project/showfiles.php?group_id=62265>
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2012 by Matthias Andree, <mat...@gm...>.
+Some rights reserved.
+
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
+
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of bogofilter-SA-2012-01
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAlC9KosACgkQvmGDOQUufZUxXwCfdAbd4IgFVkuWmH7z65Wy1TT1
+SiAAoJRLEwWzYXv81dgdtR4jg7uHDrLQ
+=gQie
+-----END PGP SIGNATURE-----
Modified: trunk/web/security/index.html
===================================================================
--- trunk/web/security/index.html 2012-12-03 22:24:25 UTC (rev 6980)
+++ trunk/web/security/index.html 2012-12-03 22:45:21 UTC (rev 6981)
@@ -21,31 +21,36 @@
<h1>Bogofilter security information</h1>
<p>These bogofilter vulnerabilities became known to date (newest
- first):</p>
+ first; bogofilter 1.2.3 fixes all of these):</p>
<ul>
<li><a
+ href="bogofilter-SA-2012-01">bogofilter-SA-2012-01/CVE-2012-5468:</a>
+ bogofilter/bogolexer heap buffer overrun with base64 input that
+ decodes to invalid multi-byte characters (versions up to and
+ including 1.2.2).
+ <li><a
href="bogofilter-SA-2010-01">bogofilter-SA-2010-01/CVE-2010-2494:</a>
bogofilter/bogolexer heap buffer underrun (1 byte) with invalid
- base64 input (versions up to and including 1.2.1)</li>
+ base64 input (versions up to and including 1.2.1).</li>
<li><a href=
"bogofilter-SA-2005-02">bogofilter-SA-2005-02/CVE-2005-4592:</a>
bogofilter/bogolexer heap buffer overrun with words > 16
- kBytes (version 0.96.2)</li>
+ kBytes (version 0.96.2).</li>
<li><a href=
"bogofilter-SA-2005-01">bogofilter-SA-2005-01/CVE-2005-4591:</a>
bogofilter/bogolexer heap buffer overrun with invalid input
- sequences (0.93.5 ≤ versions ≤ 0.96.2)</li>
+ sequences (0.93.5 ≤ versions ≤ 0.96.2).</li>
<li><a href=
"bogofilter-SA-2004-01">bogofilter-SA-2004-01/CVE-2004-1007:
rfc2047crash:</a> RFC-2047 decoding vulnerability (0.17.4 ≤
- versions ≤ 0.92.7)</li>
+ versions ≤ 0.92.7).</li>
<li><a href="bogofilter-SA-2002-01">bogofilter-SA-2002-01:</a>
bogopass: contributed script insecure temporary file handling
- (version 0.9.0.4)</li>
+ (version 0.9.0.4).</li>
</ul>
</body>
</html>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|