ID CVE-2007-0451
Summary Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."
References
Vulnerable Configurations
  • Apache Software Foundation SpamAssassin 3.0.1
    cpe:2.3:a:apache:spamassassin:3.0.1
  • Apache Software Foundation SpamAssassin 3.0.2
    cpe:2.3:a:apache:spamassassin:3.0.2
  • Apache Software Foundation SpamAssassin 3.0.3
    cpe:2.3:a:apache:spamassassin:3.0.3
  • Apache Software Foundation SpamAssassin 3.0.4
    cpe:2.3:a:apache:spamassassin:3.0.4
  • Apache Software Foundation SpamAssassin 3.1.0
    cpe:2.3:a:apache:spamassassin:3.1.0
  • Apache Software Foundation SpamAssassin 3.1.1
    cpe:2.3:a:apache:spamassassin:3.1.1
  • Apache Software Foundation SpamAssassin 3.1.2
    cpe:2.3:a:apache:spamassassin:3.1.2
  • Apache Software Foundation SpamAssassin 3.1.7
    cpe:2.3:a:apache:spamassassin:3.1.7
CVSS
Base: 4.3 (as of 20-02-2007 - 11:22)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SPAMASSASSIN-3077.NASL
    description This upgrade brings spamassassin to version 3.1.8 with following changes : - fix for CVE-2007-0451: possible DoS due to incredibly long URIs found in the message content. - disable perl module usage in update channels unless --allowplugins is specified - files with names starting/ending in whitespace weren't usable - remove Text::Wrap related code due to upstream issues - update spamassassin and sa-learn to better deal with STDIN - improvements and bug fixes related to DomainKeys and DKIM support - several updates for Received header parsing - several documentation updates and random taint-variable related issues This update also adds some missing dependencies.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27451
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27451
    title openSUSE 10 Security Update : spamassassin (spamassassin-3077)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SPAMASSASSIN-3078.NASL
    description This upgrade brings spamassassin to version 3.1.8 with following changes : - fix for CVE-2007-0451: possible DoS due to incredibly long URIs found in the message content. - disable perl module usage in update channels unless -allowplugins is specified - files with names starting/ending in whitespace weren't usable - remove Text::Wrap related code due to upstream issues - update spamassassin and sa-learn to better deal with STDIN - improvements and bug fixes related to DomainKeys and DKIM support - several updates for Received header parsing - several documentation updates and random taint-variable related issues This update also adds some missing dependencies.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29581
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29581
    title SuSE 10 Security Update : SPAMAssassin (ZYPP Patch Number 3078)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-241.NASL
    description This upgrades to version 3.1.8, which fixes some bugs and CVE-2007-0451 Malformed HTML Denial of Service. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24360
    published 2007-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24360
    title Fedora Core 6 : spamassassin-3.1.8-1.fc6 (2007-241)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-049.NASL
    description A bug in the way that SpamAssassin processes HTML emails containing URIs was discovered in versions 3.1.x. A carefully crafted mail message could make SpamAssassin consume significant amounts of CPU resources that could delay or prevent the delivery of mail if a number of these messages were sent at once. SpamAssassin has been upgraded to version 3.1.8 to correct this problem, and other upstream bugs. In addition, an invalid path setting in local.cf for the auto_whitelist_path has been fixed for Mandriva 2007.0.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 24706
    published 2007-02-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24706
    title Mandrake Linux Security Advisory : spamassassin (MDKSA-2007:049)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0074.NASL
    description Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues. This is an upgrade from SpamAssassin version 3.0.6 to 3.1.8, which contains many bug fixes and spam detection enhancements. Further details are available in the SpamAssassin 3.1 changelog and upgrade guide.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 24696
    published 2007-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24696
    title RHEL 4 : spamassassin (RHSA-2007:0074)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0074.NASL
    description From Red Hat Security Advisory 2007:0074 : Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues. This is an upgrade from SpamAssassin version 3.0.6 to 3.1.8, which contains many bug fixes and spam detection enhancements. Further details are available in the SpamAssassin 3.1 changelog and upgrade guide.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67450
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67450
    title Oracle Linux 4 : spamassassin (ELSA-2007-0074)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200703-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200703-02 (SpamAssassin: Long URI Denial of Service) SpamAssassin does not correctly handle very long URIs when scanning emails. Impact : An attacker could cause SpamAssassin to consume large amounts of CPU and memory resources by sending one or more emails containing very long URIs. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 24750
    published 2007-03-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24750
    title GLSA-200703-02 : SpamAssassin: Long URI Denial of Service
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-242.NASL
    description This upgrades to version 3.1.8, which fixes some bugs and CVE-2007-0451 Malformed HTML Denial of Service. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24361
    published 2007-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24361
    title Fedora Core 5 : spamassassin-3.1.8-1.fc5 (2007-242)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0075.NASL
    description Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 25316
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25316
    title RHEL 5 : spamassassin (RHSA-2007:0075)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0074.NASL
    description Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues. This is an upgrade from SpamAssassin version 3.0.6 to 3.1.8, which contains many bug fixes and spam detection enhancements. Further details are available in the SpamAssassin 3.1 changelog and upgrade guide.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 24702
    published 2007-02-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24702
    title CentOS 4 : spamassassin (CESA-2007:0074)
oval via4
accepted 2013-04-29T04:00:25.252-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."
family unix
id oval:org.mitre.oval:def:10018
status accepted
submitted 2010-07-09T03:56:16-04:00
title Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."
version 24
redhat via4
advisories
  • bugzilla
    id 228586
    title CVE-2007-0451 Spamassassin DoS
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • comment spamassassin is earlier than 0:3.1.8-2.el4
      oval oval:com.redhat.rhsa:tst:20070074002
    • comment spamassassin is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20070074003
    rhsa
    id RHSA-2007:0074
    released 2007-02-21
    severity Important
    title RHSA-2007:0074: spamassassin security update (Important)
  • bugzilla
    id 228587
    title CVE-2007-0451 Spamassassin DoS
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • comment spamassassin is earlier than 0:3.1.8-2.el5
      oval oval:com.redhat.rhsa:tst:20070075002
    • comment spamassassin is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20070075003
    rhsa
    id RHSA-2007:0075
    released 2007-03-13
    severity Important
    title RHSA-2007:0075: spamassassin security update (Important)
rpms
  • spamassassin-0:3.1.8-2.el4
  • spamassassin-0:3.1.8-2.el5
refmap via4
bid 22584
confirm
fedora
  • FEDORA-2007-241
  • FEDORA-2007-242
gentoo GLSA-200703-02
mandriva MDKSA-2007:049
osvdb 33207
sectrack 1017666
secunia
  • 24197
  • 24200
  • 24250
  • 24256
  • 24265
  • 24307
  • 24889
suse SUSE-SR:2007:006
vupen ADV-2007-0628
xf spamassassin-url-dos(32536)
Last major update 18-05-2011 - 00:00
Published 16-02-2007 - 14:28
Last modified 10-10-2017 - 21:31
Back to Top