Apache has issued advisories today (December 12): https://www.openwall.com/lists/oss-security/2019/12/12/1 https://www.openwall.com/lists/oss-security/2019/12/12/2 The issues are fixed upstream in 3.4.3: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt Mageia 7 is also affected.
CC: (none) => brunoWhiteboard: (none) => MGA7TOO
Was going to assign to Bruno, but he is already CC'd; no registered maintainer => assign globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805) In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420 https://www.openwall.com/lists/oss-security/2019/12/12/1 https://www.openwall.com/lists/oss-security/2019/12/12/2 https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.3-1.mga7 spamassassin-sa-compile-3.4.3-1.mga7 spamassassin-tools-3.4.3-1.mga7 spamassassin-spamd-3.4.3-1.mga7 spamassassin-spamc-3.4.3-1.mga7 perl-Mail-SpamAssassin-3.4.3-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.3-1.mga7 from SRPMS: spamassassin-3.4.3-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 7CVE: (none) => CVE-2018-11805, CVE-2019-12420
Does the package spamassassin-rules not need an update? Or was it forgotten?
CC: (none) => mageia
Debian has issued an advisory for this on December 14: https://www.debian.org/security/2019/dsa-4584
Keywords: (none) => feedback
Oops ! I forgot the package spamassassin-rules. Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805) In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420 https://www.openwall.com/lists/oss-security/2019/12/12/1 https://www.openwall.com/lists/oss-security/2019/12/12/2 https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt https://www.debian.org/security/2019/dsa-4584 ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.3-1.mga7 spamassassin-sa-compile-3.4.3-1.mga7 spamassassin-tools-3.4.3-1.mga7 spamassassin-spamd-3.4.3-1.mga7 spamassassin-spamc-3.4.3-1.mga7 perl-Mail-SpamAssassin-3.4.3-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.3-1.mga7 spamassassin-rules-3.4.3-1.mga7 from SRPMS: spamassassin-3.4.3-1.mga7.src.rpm spamassassin-rules-3.4.3-1.mga7.src.rpm
Keywords: feedback => (none)
Installed and tested without issue. My kmail is setup to use spamassassin and it is marking messages adequately. it is working as expected. ------------------------------------------------------------------------- X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on marte.home X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=4.0 tests=BAYES_60,FREEMAIL_FROM, HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_04,HTML_MESSAGE, HTTPS_HTTP_MISMATCH,SPOOFED_FREEMAIL,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.3 ------------------------------------------------------------------------- System: Mageia 7, x86_64, Plasma DE, LXQt DE, kmail, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin | sort perl-Mail-SpamAssassin-3.4.3-1.mga7 spamassassin-3.4.3-1.mga7 spamassassin-rules-3.4.3-1.mga7
I have been using it for over a week without issues so I'm giving it a OK for x86_64 to push it forward.
Whiteboard: (none) => MGA7-64-OK
Thanks. Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0406.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED