Publishing details
Changelog
dovecot-antispam (2.0+20150222-1~ubuntu14.04.1) trusty; urgency=medium
* No-change backport to trusty
dovecot-antispam (2.0+20150222-1) unstable; urgency=medium
* Use T_BEGIN/T_END since t_push() changed its signature and broke API
in dovecot 2.2.14, and this is the interface to it that things were
supposed to switch to some time back. Closes: #765943
dovecot-antispam (2.0+20130912-2) unstable; urgency=medium
* Use the correct argc for pipe.ham_args
This fixes a typo bug, where if the number of arguments set for
antispam_pipe_program_spam_arg is not the same as what was set
for antispam_pipe_program_notspam_arg, then we'll either scribble
past the end of the allocated argv array, or populate it with
pointers to whatever followed the real ham_args.
Thanks to Peter Colberg who reported this, including a correct
patch to fix it, to the security team. The security implications
of this seem somewhat limited, since you need to edit a config
file as root to create the bad situation, and there is no path
for remote injection of crafted data (whether it overflows or
underflows) if you do, the argv array will just get some 'random'
extra pointers to existing internal data.
However it does pose a potential problem for a legitimate user
who does legitimately need or want to pass a different number of
arguments for the spam and ham cases, since that could crash
dovecot, or confuse the hell out of their pipe program when it
gets some random extra arguments. It's probably gone unnoticed
for this long because most uses will pass the same number of
arguments for both of them, but that's not a necessary condition
in the general case.
dovecot-antispam (2.0+20130912-1) unstable; urgency=medium
* Merge upstreamed patches from the upstream branch,
no new changes to the Debian package from this.
* Depend on dovecot ABI rather than a specific Dovecot package version.
Many thanks to Jelmer Vernooij for both adding support for that to the
dovecot package and providing a patch for this one to use it. Now we
just need dovecot upstream to start bumping ABI less often than version :)
Closes: #755432
-- Andi Sherratt <email address hidden> Wed, 18 Nov 2015 15:40:49 +0000
Builds
Built packages
-
dovecot-antispam
Dovecot plugins for training spam filters
Package files