-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 26 20100104
================================

Package:              Kolab Server, SpamAssassin
Vulnerability:        mail lossage
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

The Apache SpamAssassin spam filter shipping with Kolab Server
includes an rule named FH_DATE_PAST_20XX which triggers on most mail
with a Date header that includes the year 2010 or later.

This adds 3.2 to the spam score of nearly every mail send past 2009.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of SpamAssassin 3.2.0 to 3.2.5.
Kolab Server 2.2.3 and previous releases are affected.


Fix
~~~

Add the following line to
/kolab/etc/kolab/templates/local.cf.template:

score FH_DATE_PAST_20XX 0.0

or update your kolabd package:

OpenPKG packages for Kolab Server 2.2.3 are available from
http://files.kolab.org/server/security-updates/20100104/
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Lenny)
is available as kolabd-2.2.3-20100104.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Etch)
is available as kolabd-2.2.3-20100104.ix86-debian4.0-kolab.rpm

After that run as root: /kolab/sbin/kolabconf

Older versions of Kolab Server don't have local.cf.template, you
will have to edit /kolab/etc/spamassassin/local.cf and after that
restart amavisd with: /kolab/etc/rc.d/rc.amavisd restart

You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 4BB86568
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS

The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild ...path/to.../kolabd-2.2.3-20100104.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/kolabd-2.2.3-20100104.<ARCH>-<OS>-kolab.rpm	
$ exit
# /kolab/sbin/kolabconf

To install a binary package, just skip the --rebuild step.


Details
~~~~~~~

http://wiki.apache.org/spamassassin/Rules/FH_DATE_PAST_20XX
	Description of the problematic rule including note on the
	misbehavior of older versions.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269
	Bug report in the official upstream tracker.

Timeline
~~~~~~~~
    20100101 Upstream Bug Report
    20100102 Discussion and hotfix on kolab-users@kolab.org
    20100104 Updated kolabd package available and Kolab Server
             security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktB2zIACgkQuyGFFEu4ZWjgXACgmVGeRv6WC0hcZyt/u/rGzKUy
SHgAniot1t0uMJpIBuo1jxIVMxlNeFEf
=j0Bn
-----END PGP SIGNATURE-----