Univention Bugzilla – Bug 50650
spamassassin: Multiple issues (4.4)
Last modified: 2019-12-18 13:33:13 CET
New Debian spamassassin 3.4.2-1~deb9u2 fixes: This update addresses the following issues: * In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805) * In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/spamassassin_3.4.2-1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/spamassassin_3.4.2-1~deb9u2.dsc @@ -1,3 +1,12 @@ +3.4.2-1~deb9u2 [Fri, 07 Dec 2018 22:26:08 -0800] Noah Meyerhans <noahm@debian.org>: + + * Security update to address CVE-2018-11805. Malicious rule or configuration + files, possibly downloaded from an updates server, could execute arbitrary + commands under multiple scenarios. (Closes: 946652) + * Security update to address CVE-2019-12420. Messages can be crafted in a + way to use excessive resources, resulting in a denial of service. + (Closes: 946653) + 3.4.2-1~deb9u1 [Sun, 30 Sep 2018 23:44:58 -0700] Noah Meyerhans <noahm@debian.org>: * New upstream release fixes multiple security vulnerabilities <http://10.200.17.11/4.4-3/#1780685826896750377>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-3] 1cdd36db1c Bug #50650: spamassassin 3.4.2-1~deb9u2 doc/errata/staging/spamassassin.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) [4.4-3] 93e1768eae Bug #50650: spamassassin 3.4.2-1~deb9u2 doc/errata/staging/spamassassin.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)
<http://errata.software-univention.de/ucs/4.4/404.html>