Mailing List Archive

Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3
Apache SpamAssassin 3.0.4 was recently released [0], and fixes a denial
of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The
vulnerability allows certain misformatted long message headers to cause
spam checking to take a very long time.

While the exploit has yet to be seen in the wild, we are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.0.4 as soon as possible.

This issue has been assigned CVE id CAN-2005-1266 [1].

To contact the Apache SpamAssassin security team, please e-mail
security at For more information about Apache
SpamAssassin, visit the web site.

Apache SpamAssassin Security Team



To unsubscribe, e-mail:
For additional commands, e-mail: