Bug#448355: Trusts routers in out of date reserved IP ranges

Sun, 28 Oct 2007 03:52:56 -0800 

Package: spamassassin
Version: 3.0.3-2sarge1
Severity: normal
Tags: patch

Spamassassin is configured with out of date trusted IP ranges.
Spammers are operating in these IP ranges, and due to the
misconfiguration causes certain tests eg. SPF to be bypassed. This
results in excessive spam from hosts in these IP ranges.

This problem was fixed upstream with SVN revision 124829.
"bug 3968: don't trust that reserved networks are internal/private, only use 
private networks that are not publicly routeable"

Bugzilla Bug 3968:
IP_IN_RESERVED_RANGE, in Constants.pm, is out of date. Specifically, 71/8 and 
72/8 are no longer reserved, according to 
http://www.iana.org/assignments/ipv4-address-space.

The solution is to essentially remove all of the reserved IP ranges from the 
list stored in Constants.pm leaving just the private ranges as per commit 
124829.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.19.2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages spamassassin depends on:
ii  debconf                    1.4.30.13     Debian configuration management sy
ii  libdigest-sha1-perl        2.10-1        NIST SHA-1 message digest algorith
ii  libhtml-parser-perl        3.45-2        A collection of modules that parse
ii  perl [libstorable-perl]    5.8.4-8sarge5 Larry Wall's Practical Extraction 
ii  spamc                      3.0.3-2sarge1 Client for SpamAssassin spam filte

-- debconf information excluded

diff -Nru spamassassin-3.0.3-orig/lib/Mail/SpamAssassin/Constants.pm 
spamassassin-3.0.3/lib/Mail/SpamAssassin/Constants.pm
--- spamassassin-3.0.3-orig/lib/Mail/SpamAssassin/Constants.pm  2004-10-22 
16:21:03.000000000 +0100
+++ spamassassin-3.0.3/lib/Mail/SpamAssassin/Constants.pm       2007-10-28 
11:24:37.000000000 +0000
@@ -88,26 +88,7 @@
   10|                             # 10/8:             Private Use (3330)
   172\.(?:1[6-9]|2[0-9]|3[01])|           # 172.16-172.31/16: Private Use 
(3330)
   169\.254|                       # 169.254/16:       Private Use (APIPA)
-  127|                            # 127/8:            Private Use (localhost)
-# reserved/multicast ranges
-  [01257]|                        # 000-002/8, 005/8, 007/8: IANA Reserved
-  2[37]|                          # 023/8, 027/8:     IANA Reserved
-  3[1679]|                        # 031/8, 036/8, 037/8, 039/8: IANA Reserved
-  4[129]|                         # 041/8, 042/8, 049/8: IANA Reserved
-  50|                             # 050/8:            IANA Reserved
-  7[1-9]|                         # 071-079/8:        IANA Reserved
-  89|                             # 089/8:            IANA Reserved
-  9[0-9]|                         # 090-099/8:        IANA Reserved
-  1[01][0-9]|                     # 100-119/8:        IANA Reserved
-  12[0-6]|                        # 126/8:            IANA Reserved
-  1(?:7[3-9]|8[0-79]|90)          # 173-187/8, 189/8, 190/8: IANA Reserved
-  192\.0\.2|                      # 192.0.2/24:       Reserved (3330)
-  197|                            # 197/8:            IANA Reserved
-  198\.1[89]|                     # 198.18/15:        Reserved (3330)
-  22[3-9]|                        # 223-239/8:        IANA Rsvd, Mcast
-  23[0-9]|                        # 230-239/8:        IANA Multicast
-  24[0-9]|                        # 240-249/8:        IANA Reserved
-  25[0-5]                         # 255/8:            IANA Reserved
+  127                             # 127/8:            Private Use (localhost)
 )\.}ox;
 
 # ---------------------------------------------------------------------------

Reply via email to