[Bug 194290] New: CVE-2006-2447 spamassassin arbitrary command execution

bugzilla at redhat.com bugzilla at redhat.com
Tue Jun 6 21:23:45 UTC 2006

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.


           Summary: CVE-2006-2447 spamassassin arbitrary command execution
           Product: Fedora Core
           Version: fc5
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: normal
         Component: spamassassin
        AssignedTo: wtogami at redhat.com
        ReportedBy: bressers at redhat.com
                CC: fedora-perl-devel-
                    list at redhat.com,felicity at kluge.net,jm at jmason.org,parkerm
                    @pobox.com,reg+redhat at sidney.com,security-response-
                    team at redhat.com,wtogami at redhat.com

+++ This bug was initially created as a clone of Bug #193865 +++

CVE-2006-2447 spamassassin arbitrary command execution

If spamd is run with the
"-v" / "--vpopmail" switch, AND with the "-P" / "--paranoid" switch
It becomes possible to execute arbitrary commands as the user spamd is
running as.

This issue is mitigated by the fact that no imap servers as shipped
with RHEL support vpopmail.  These options are also not the default
spamd options when it is started as a service.

This issue should also affect FC4

Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the Fedora-perl-devel-list mailing list