| Summary: | spamassassin new security issues CVE-2018-11805 and CVE-2019-12420 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, mageia, nicolas.salguero, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | spamassassin-3.4.2-7.mga7.src.rpm | CVE: | CVE-2018-11805, CVE-2019-12420 |
| Status comment: | |||
|
Description
David Walser
2019-12-12 15:12:22 CET
David Walser
2019-12-12 15:12:39 CET
CC:
(none) =>
bruno Was going to assign to Bruno, but he is already CC'd; no registered maintainer => assign globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805) In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420 https://www.openwall.com/lists/oss-security/2019/12/12/1 https://www.openwall.com/lists/oss-security/2019/12/12/2 https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.3-1.mga7 spamassassin-sa-compile-3.4.3-1.mga7 spamassassin-tools-3.4.3-1.mga7 spamassassin-spamd-3.4.3-1.mga7 spamassassin-spamc-3.4.3-1.mga7 perl-Mail-SpamAssassin-3.4.3-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.3-1.mga7 from SRPMS: spamassassin-3.4.3-1.mga7.src.rpm Whiteboard:
MGA7TOO =>
(none) Does the package spamassassin-rules not need an update? Or was it forgotten? CC:
(none) =>
mageia Debian has issued an advisory for this on December 14: https://www.debian.org/security/2019/dsa-4584 Keywords:
(none) =>
feedback Oops ! I forgot the package spamassassin-rules. Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805) In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420 https://www.openwall.com/lists/oss-security/2019/12/12/1 https://www.openwall.com/lists/oss-security/2019/12/12/2 https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt https://www.debian.org/security/2019/dsa-4584 ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.3-1.mga7 spamassassin-sa-compile-3.4.3-1.mga7 spamassassin-tools-3.4.3-1.mga7 spamassassin-spamd-3.4.3-1.mga7 spamassassin-spamc-3.4.3-1.mga7 perl-Mail-SpamAssassin-3.4.3-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.3-1.mga7 spamassassin-rules-3.4.3-1.mga7 from SRPMS: spamassassin-3.4.3-1.mga7.src.rpm spamassassin-rules-3.4.3-1.mga7.src.rpm Keywords:
feedback =>
(none) Installed and tested without issue. My kmail is setup to use spamassassin and it is marking messages adequately. it is working as expected. ------------------------------------------------------------------------- X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on marte.home X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=4.0 tests=BAYES_60,FREEMAIL_FROM, HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_04,HTML_MESSAGE, HTTPS_HTTP_MISMATCH,SPOOFED_FREEMAIL,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.3 ------------------------------------------------------------------------- System: Mageia 7, x86_64, Plasma DE, LXQt DE, kmail, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin | sort perl-Mail-SpamAssassin-3.4.3-1.mga7 spamassassin-3.4.3-1.mga7 spamassassin-rules-3.4.3-1.mga7 I have been using it for over a week without issues so I'm giving it a OK for x86_64 to push it forward. Whiteboard:
(none) =>
MGA7-64-OK Thanks. Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-12-24 12:44:25 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0406.html Resolution:
(none) =>
FIXED |