Univention Bugzilla – Bug 48169
spamassassin: Multiple issues (4.3)
Last modified: 2018-11-21 15:21:19 CET
New Debian spamassassin 3.4.2-1~deb9u1 fixes: This update addresses the following issues: * Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service (CVE-2017-15705) * Potential remote code execution vulnerability in PDFInfo plugin (CVE-2018-11780) * Local user code injection in the meta rule syntax (CVE-2018-11781)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/spamassassin_3.4.1-6+deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-2/source/spamassassin_3.4.2-1~deb9u1.dsc @@ -1,4 +1,48 @@ -3.4.1-6+deb9u1 [Sun, 19 Nov 2017 10:43:02 -0800] Noah Meyerhans <noahm@debian.org>: +3.4.2-1~deb9u1 [Sun, 30 Sep 2018 23:44:58 -0700] Noah Meyerhans <noahm@debian.org>: + + * New upstream release fixes multiple security vulnerabilities + - CVE-2017-15705: Denial of service issue in which certain unclosed + tags in emails cause markup to be handled incorrectly leading to + scan timeouts. (Closes: 908969) + - CVE-2016-1238: Unsafe usage of "." in @INC in a configuration + script. + - CVE-2018-11780: potential Remote Code Execution bug with the + PDFInfo plugin. (Closes: 908970) + - CVE-2018-11781: local user code injection in the meta rule syntax. + (Closes: 908971) + - BayesStore: bayes_expire table grows, remove_running_expire_tok not + called (Closes: 883775) + - Fix use of uninitialized variable warning in PDFInfo.pm + (Closes: 865924) + - Fix "failed to parse plugin" error in + Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041) + * Don't recursively chown /var/lib/spamassassin during postinst. + (Closes: 889501) + * Reload spamd after compiling rules in sa-compile.postinst. + * Update SysV init script to cope with upstream's change to $0. + * Remove compiled rules upon removal of the sa-compile package. + * Ensure that /var/lib/spamassassin/compiled doesn't change modes with + the cron job's execution. (Closes: 890650) + * Create /var/lib/spamassassin via dpkg, rather than the postinst. + (Closes: 891833) + * Add libbsd-resource-perl to Suggests (Closes: 910434) + +3.4.1-8 [Sat, 09 Sep 2017 22:37:20 -0700] Noah Meyerhans <noahm@debian.org>: + + * Fix inappropriate invocation of invoke-rc.d in cron script. + (Closes: 865514) + * Update systemd unit dependencies to include network and syslog. + (Closes: 864810) + * Migrate packaging to git, finally. + * Apply upstream patch to fix regex error leading to warnings in perl + 5.26+ (Closes: 869408) + * Update standards version to 4.1.0.0 + * Remove references to the obsolete syslog.target dependency in the + systemd service file. + * Clarify the use of the perl-major-upgrade dpkg trigger. + * Fix spamd service management on package upgrades. (Closes: #865356) + +3.4.1-7 [Thu, 11 May 2017 19:45:36 -0700] Noah Meyerhans <noahm@debian.org>: * Ensure that spamd doesn't automatically start upon initial installation. @@ -8,11 +52,6 @@ used in the sysvinit script. (Closes: #808804) * Update spamassassin docs to remove outdated gpg version compatibility note. (Closes: #853913) - * Update systemd unit dependencies to include network and syslog. - (Closes: 864810) - * Fix inappropriate invocation of invoke-rc.d in cron script. - (Closes: 865514) - * Fix spamd service manage on upgrades. (Closes: #865356) 3.4.1-6 [Sun, 30 Oct 2016 09:39:27 -0700] Noah Meyerhans <noahm@debian.org>: <http://10.200.17.11/4.3-2/#1780685826895667852>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-2] 6927fd9155 Bug #48169: spamassassin 3.4.2-1~deb9u1 doc/errata/staging/spamassassin.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.3/326.html>