Bug 23590 - spamassassin new security issues fixed upstream in 3.4.2
Summary: spamassassin new security issues fixed upstream in 3.4.2
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-17 02:55 CEST by David Walser
Modified: 2018-10-15 23:11 CEST (History)
3 users (show)

See Also:
Source RPM: spamassassin-3.4.1-7.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-17 02:55:07 CEST
Spamassassin 3.4.2 has been announced, fixing several security issues:
https://www.openwall.com/lists/oss-security/2018/09/16/1
David Walser 2018-09-17 02:55:22 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-09-18 14:01:49 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing one committer.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, shlomif

Comment 2 Bruno Cornec 2018-10-11 01:18:39 CEST
shlomif has pushed the 3.4.2 version to cauldron so that should be good for this branch.

CC: (none) => bruno

Comment 3 Bruno Cornec 2018-10-11 01:37:50 CEST
I pushed the same version in 6 core/updates_testing

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2018-10-12 01:05:15 CEST
Advisory:
========================

Updated spamassassin package fixes security vulnerabilities:

A reliance on "." in @INC in one configuration script (CVE-2016-1238).

A denial of service vulnerability arises with certain unclosed tags in emails
that cause markup to be handled incorrectly leading to scan timeouts
(CVE-2017-15705).

A potential Remote Code Execution bug with the PDFInfo plugin (CVE-2018-11780).

A local user code injection in the meta rule syntax (CVE-2018-11781).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781
https://www.openwall.com/lists/oss-security/2018/09/16/1
========================

Updated packages in core/updates_testing:
========================
spamassassin-3.4.2-1.1.mga6
spamassassin-sa-compile-3.4.2-1.1.mga6
spamassassin-tools-3.4.2-1.1.mga6
spamassassin-spamd-3.4.2-1.1.mga6
spamassassin-spamc-3.4.2-1.1.mga6
perl-Mail-SpamAssassin-3.4.2-1.1.mga6
perl-Mail-SpamAssassin-Spamd-3.4.2-1.1.mga6

from spamassassin-3.4.2-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 David Walser 2018-10-13 00:53:29 CEST
RedHat has issued an advisory for two of these issues on October 11:
https://access.redhat.com/errata/RHSA-2018:2916
Comment 6 David Walser 2018-10-15 23:11:40 CEST
Fedora has issued an advisory for this on September 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WQLOB65TXVE2WTAWI7HSIN5YFEPE5JCY/

Note You need to log in before you can comment on or make changes to this bug.