SB2018091713 - Improper input validation in spamassassin (Alpine package)
Published: September 17, 2018
Security Bulletin ID
SB2018091713
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper input validation (CVE-ID: CVE-2017-15705)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in Apache SpamAssassin, using HTML::Parser due to an the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed when an object and hook are setup into the begin and end tag event handlers. A remote attacker can supply certain unclosed tags in specially crafted emails that cause markup to be handled incorrectly leading to scan timeouts.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=414d938b62bf425063a54567a1736a0d2fb76c8f
- https://git.alpinelinux.org/aports/commit/?id=920c66f72c3e2cc23d7aed42e9ffa0d3a355494d
- https://git.alpinelinux.org/aports/commit/?id=baee0facb0bff1fa120bd6c9b7b0454af79a3f04
- https://git.alpinelinux.org/aports/commit/?id=d41a153ca51fae77177652bcf56edc463802bab3
- https://git.alpinelinux.org/aports/commit/?id=4038e91416abe5bb2a7a09fe108146f5d55bbdaa