Univention Bugzilla – Bug 50780
spamassassin: Multiple issues (4.4)
Last modified: 2020-02-05 17:41:18 CET
New Debian spamassassin 3.4.2-1~deb9u3 fixes: This update addresses the following issues: * A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. (CVE-2020-1930) * A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2020-1931)
--- mirror/ftp/4.4/unmaintained/component/4.4-3-errata/source/spamassassin_3.4.2-1~deb9u2.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/spamassassin_3.4.2-1~deb9u3.dsc @@ -1,3 +1,10 @@ +3.4.2-1~deb9u3 [Thu, 30 Jan 2020 13:09:03 -0800] Noah Meyerhans <noahm@debian.org>: + + * Security update to address + - CVE-2020-1930. Arbitrary code execution via malicious rule files. + - CVE-2020-1931. Arbitrary code execution via malicious rule files. + (Closes: #950258) + 3.4.2-1~deb9u2 [Fri, 07 Dec 2018 22:26:08 -0800] Noah Meyerhans <noahm@debian.org>: * Security update to address CVE-2018-11805. Malicious rule or configuration <http://10.200.17.11/4.4-3/#1780685826897832902>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-3] 1da40829f3 Bug #50780: spamassassin 3.4.2-1~deb9u3 doc/errata/staging/spamassassin.yaml | 38 +++++++++++++++++------------------- 1 file changed, 18 insertions(+), 20 deletions(-) [4.4-3] d10337a67e Bug #50780: spamassassin 3.4.2-1~deb9u3 doc/errata/staging/spamassassin.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
<http://errata.software-univention.de/ucs/4.4/436.html>