Apache has released SpamAssassin 3.4.4 on January 28, fixing two security issues: https://spamassassin.apache.org/news.html https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Nefarious rule configuration (.cf) files can be configured to run system commands with sa-compile. (CVE-2020-1930) Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (CVE-2020-1931) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931 https://spamassassin.apache.org/news.html https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.4-1.mga7 spamassassin-sa-compile-3.4.4-1.mga7 spamassassin-tools-3.4.4-1.mga7 spamassassin-spamd-3.4.4-1.mga7 spamassassin-spamc-3.4.4-1.mga7 perl-Mail-SpamAssassin-3.4.4-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.4-1.mga7 spamassassin-rules-3.4.4-1.mga7 from SRPMS: spamassassin-3.4.4-1.mga7.src.rpm spamassassin-rules-3.4.4-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsVersion: Cauldron => 7CVE: (none) => CVE-2020-1930, CVE-2020-1931
Apache has issued advisories for this today (January 30): https://www.openwall.com/lists/oss-security/2020/01/30/3 https://www.openwall.com/lists/oss-security/2020/01/30/2 The advisories have a little more detail on the issues. Please add those to the References.
Installed and tested without issue. I'm using spamassassin with kmail and its evaluating messages correctly. Its in use for several days without issues. ---------------------------------------------------------------------- X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on marte.home X-Spam-Level: X-Spam-Status: No, score=-1.5 required=4.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham autolearn_force=no version=3.4.4 ---------------------------------------------------------------------- System: Mageia 7, x86_64, Plasma DE, LXQt DE, kmail, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.4.17-desktop-1.mga7 #1 SMP Sat Feb 1 21:57:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin spamassassin-3.4.4-1.mga7 spamassassin-rules-3.4.4-1.mga7 perl-Mail-SpamAssassin-3.4.4-1.mga7
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Good enough for me. Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Debian and Ubuntu have issued advisories for this on February 1 and 4: https://www.debian.org/security/2020/dsa-4615 https://usn.ubuntu.com/4265-1/
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0079.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED