Apache has released SpamAssassin 3.4.5 on March 24, fixing a security issue: https://spamassassin.apache.org/news.html https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.5.txt https://www.openwall.com/lists/oss-security/2021/03/24/3 Mageia 7 and 8 are also affected.
CVE: (none) => CVE-2020-1946Source RPM: (none) => spamassassin-3.4.4-3.mga8.src.rpm, spamassassin-rules-3.4.4-2.mga8.src.rpmWhiteboard: (none) => MGA8TOO, MGA7TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. (CVE-2020-1946) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1946 https://spamassassin.apache.org/news.html https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.5.txt https://www.openwall.com/lists/oss-security/2021/03/24/3 ======================== Updated packages in 7/core/updates_testing: ======================== spamassassin-3.4.5-1.mga7 spamassassin-sa-compile-3.4.5-1.mga7 spamassassin-tools-3.4.5-1.mga7 spamassassin-spamd-3.4.5-1.mga7 spamassassin-spamc-3.4.5-1.mga7 perl-Mail-SpamAssassin-3.4.5-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga7 spamassassin-rules-3.4.5-1.mga7 from SRPMS: spamassassin-3.4.5-1.mga7.src.rpm spamassassin-rules-3.4.5-1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== spamassassin-3.4.5-1.mga8 spamassassin-sa-compile-3.4.5-1.mga8 spamassassin-tools-3.4.5-1.mga8 spamassassin-spamd-3.4.5-1.mga8 spamassassin-spamc-3.4.5-1.mga8 perl-Mail-SpamAssassin-3.4.5-1.mga8 perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga8 spamassassin-rules-3.4.5-1.mga8 from SRPMS: spamassassin-3.4.5-1.mga8.src.rpm spamassassin-rules-3.4.5-1.mga8.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: bugsquad => qa-bugsVersion: Cauldron => 8
Installed and tested without issues. Tested on a good number of ham and spam messages, in a setup with fetchmail, dovecot and roundcubemail. Used email clients: kmail, trojita, roundcubemail and failemail (Android). All seems to be working as expected. ====================================================== X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on marte.local X-Spam-Flag: YES X-Spam-Level: ********* X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_99,BAYES_999, HTML_MESSAGE,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.5 X-Spam-Report: * 4.0 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.0000] * 5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 T_REMOTE_IMAGE Message contains an external image ====================================================== System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.10.25-desktop-1.mga7 #1 SMP Sat Mar 20 17:16:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin spamassassin-rules-3.4.5-1.mga7 spamassassin-3.4.5-1.mga7 perl-Mail-SpamAssassin-3.4.5-1.mga7
CC: (none) => mageiaWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Tested in a 64-bit MGA8 Plasma vbox guest. Installed spamassassin packages and dependencies. Then used the above package list in qarepo: The following 7 packages are going to be installed: - perl-Mail-SpamAssassin-3.4.5-1.mga8.x86_64 - perl-Mail-SpamAssassin-Spamd-3.4.5-1.mga8.x86_64 - spamassassin-3.4.5-1.mga8.x86_64 - spamassassin-rules-3.4.5-1.mga8.noarch - spamassassin-spamc-3.4.5-1.mga8.x86_64 - spamassassin-spamd-3.4.5-1.mga8.x86_64 - spamassassin-tools-3.4.5-1.mga8.x86_64 No installation issues. After, tried a minimal test to see if the service would start: # systemctl start spamd.service # systemctl status spamd.service ● spamd.service - Spamassassin daemon Loaded: loaded (/usr/lib/systemd/system/spamd.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2021-04-11 19:09:26 EDT; 27s ago Main PID: 24096 (spamd) Tasks: 3 (limit: 4697) Memory: 100.4M CPU: 1.702s CGroup: /system.slice/spamd.service ├─24096 /usr/bin/perl -T -w /usr/bin/spamd ├─24103 spamd child └─24104 spamd child Apr 11 19:09:26 localhost.localdomain systemd[1]: Started Spamassassin daemon. Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.5) Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server pid: 24096 Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server successfully spawned child process, pid 24103 Apr 11 19:09:29 localhost.localdomain spamd[24096]: spamd: server successfully spawned child process, pid 24104 Apr 11 19:09:29 localhost.localdomain spamd[24096]: prefork: child states: IS Apr 11 19:09:29 localhost.localdomain spamd[24096]: prefork: child states: II Since the MGA7 update is the same version and has already been tested for functionality, I'm going to give this an MGA8 OK on a clean install and my very minimal test. Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0182.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Debian has issued an advisory for this on March 27: https://www.debian.org/security/2021/dsa-4879