Your message dated Mon, 01 Oct 2018 07:05:38 +0000 with message-id <e1g6sgw-000djn...@fasolo.debian.org> and subject line Bug#908971: fixed in spamassassin 3.4.2-1 has caused the Debian Bug report #908971, regarding spamassassin: CVE-2018-11781: local user code injection in the meta rule syntax to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 908971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: spamassassin Version: 3.4.1-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for spamassassin. CVE-2018-11781[0]: local user code injection in the meta rule syntax It is fixed in new upstream version 3.4.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781 [1] https://www.openwall.com/lists/oss-security/2018/09/16/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: spamassassin Source-Version: 3.4.2-1 We believe that the bug you reported is fixed in the latest version of spamassassin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 908...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated spamassassin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 30 Sep 2018 23:44:58 -0700 Source: spamassassin Binary: spamassassin spamc sa-compile Architecture: source all amd64 Version: 3.4.2-1 Distribution: unstable Urgency: medium Maintainer: Noah Meyerhans <no...@debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Description: sa-compile - Tools for compiling SpamAssassin rules into C spamassassin - Perl-based spam filter using text analysis spamc - Client for SpamAssassin spam filtering daemon Closes: 858457 865924 883775 884163 889501 890650 891041 891833 908969 908970 908971 Changes: spamassassin (3.4.2-1) unstable; urgency=medium . * New upstream release fixes multiple security vulnerabilities - CVE-2017-15705: Denial of service issue in which certain unclosed tags in emails cause markup to be handled incorrectly leading to scan timeouts. (Closes: 908969) - CVE-2016-1238: Unsafe usage of "." in @INC in a configuration script. - CVE-2018-11780: potential Remote Code Execution bug with the PDFInfo plugin. (Closes: 908970) - CVE-2018-11781: local user code injection in the meta rule syntax. (Closes: 908971) - BayesStore: bayes_expire table grows, remove_running_expire_tok not called (Closes: 883775) - Fix use of uninitialized variable warning in PDFInfo.pm (Closes: 865924) - Fix "failed to parse plugin" error in Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041) * Don't recursively chown /var/lib/spamassassin during postinst. (Closes: 889501) * Reload spamd after compiling rules in sa-compile.postinst. * Preserve locally set ENABLED=1 setting from /etc/default/spamassassin when installing on systemd-based systems. (Closes: 884163, 858457) * Update SysV init script to cope with upstream's change to $0. * Remove compiled rules upon removal of the sa-compile package. * Ensure that /var/lib/spamassassin/compiled doesn't change modes with the cron job's execution. (Closes: 890650) * Update standards version to 4.2.1 * Create /var/lib/spamassassin via dpkg, rather than the postinst. (Closes: 891833) Checksums-Sha1: 4682b1ae4582df205cb676ed6fa0c1c5fea5dc2f 2437 spamassassin_3.4.2-1.dsc a7c72a47e9aa88276aeefc926a159c27dc4a74ab 234232 spamassassin_3.4.2.orig-pkgrules.tar.xz f295571631e4163225ee3eab04d5c0cce3a69fbc 1873396 spamassassin_3.4.2.orig.tar.xz 9e99ec3e223bc4c0e184e217319ca57c98e72d7a 38612 spamassassin_3.4.2-1.debian.tar.xz c16c099174bb14f2f54bca19ab6b54296a14aa10 47904 sa-compile_3.4.2-1_all.deb b4e85ee7bd6c0dc29464e4b3280f90d626044cf7 1121628 spamassassin_3.4.2-1_all.deb 0e8572c1644a85745e3747d06fb063533e73234c 6491 spamassassin_3.4.2-1_amd64.buildinfo 44fc9bf2f894a10619d88a09d96db1d7047a3528 51632 spamc-dbgsym_3.4.2-1_amd64.deb 45074abc06c7a56a62f8ca17ff680782e343f6b8 82708 spamc_3.4.2-1_amd64.deb Checksums-Sha256: 9610aa6bc6168cb62197fe93c043af76479291c6d14526c2317390bfa38f4c21 2437 spamassassin_3.4.2-1.dsc 3f3349bb45ac63a7b85a7562a365a9805c4afce91aa11718f0dacfe034890066 234232 spamassassin_3.4.2.orig-pkgrules.tar.xz aae73f835e1201713458fbe012f686eae395f7672c4729e62c91a92b3ced50df 1873396 spamassassin_3.4.2.orig.tar.xz 9e9e924e59665796641d60edbdc88905f88bb545a9d208921af1713a1771d998 38612 spamassassin_3.4.2-1.debian.tar.xz 3f5021d8e5e36f105b16b0722b8dbe6a0251af1180be0630a6ceda86fabff77c 47904 sa-compile_3.4.2-1_all.deb 098dddb2cdceeb381b8014a029272b5084aa8f8a9c3a49f99a29928744f2ab7a 1121628 spamassassin_3.4.2-1_all.deb 7213c9d8ca428f77e583c25eee1097508ac297078bae3b47e8ec0f43d9aed4c7 6491 spamassassin_3.4.2-1_amd64.buildinfo 41cc3eb33ced6fc54e31cfe159093e0502eede572e6534bd3c2b60a7e4d03504 51632 spamc-dbgsym_3.4.2-1_amd64.deb a709456209fd939897c6f7b03bea6753dc18e2957479a9a4b553a360b47d5180 82708 spamc_3.4.2-1_amd64.deb Files: 64bce716ff4cdc590337a551c07c4f94 2437 mail optional spamassassin_3.4.2-1.dsc d1616326f1d3a442aff01347e615cabd 234232 mail optional spamassassin_3.4.2.orig-pkgrules.tar.xz 0f6d6733613ec670b13d37ce6f6244f8 1873396 mail optional spamassassin_3.4.2.orig.tar.xz 64ce474e3e6bd3f4d6b58c09c49730fa 38612 mail optional spamassassin_3.4.2-1.debian.tar.xz 9a301495a878db9e55c0db3dc90c6811 47904 mail optional sa-compile_3.4.2-1_all.deb ced8ac1a4cba624255deeea4bad829db 1121628 mail optional spamassassin_3.4.2-1_all.deb 6028e236374e3a706be97c65807372f7 6491 mail optional spamassassin_3.4.2-1_amd64.buildinfo a1679615f961382eeb5ff44ce4d3ad9c 51632 debug optional spamc-dbgsym_3.4.2-1_amd64.deb 2b7afe5834fa3f84acf960bcc3f22477 82708 mail optional spamc_3.4.2-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAluxxFcRHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDPsWw/7BDz/TPpD5Vcq1D8l5peV54bwL8l5QT8M 4o+TOBUgaqxwYnBsYbbsYGlV8RSr14W+l1DZuGEDG3/8qIX95PGEXq+zRtIai47w QEJZsDWOAbyGp+izGA07dbAKoLnqUoP9wpjfBb2uKWs8qV1KY5tEfBKusKOU30Uy Qf9tAaIyc2dS3xSISMe7Iw5iEw94161t+Yr1OotjUebzcAZk8SWu5hSaBMJVRUU4 bdjiJqyRNkgtmvSiwWthjSeIn7ANmLGOoN57amIIETWMesJVhk9qw9shRnnUAXZB PBcZ369ImAF0gA9DhEh61KE8RYSPvbxy6/nVeVzoHJlGvMSS3ZUJRIiT6m1V9ruG xKR7/UEld3bxhHG/NEaKVel57Ir0V929p6o9+1LhQZJZJwLd+ApYCmHC32zpsSmY mAcKt4pHBjebPxNr8ZAakQMTPEPuE9f6TMebY07TD63yKr2SqNi17NVaPrGfrlSk z7+JdPRHTshp/KMwvnLjUH62MQG3VawBFK7uQmD2rvtDtxQTgp1nExT/ksxwm/yD pCenviVSGcKhqR90EtTL+AjhVmmlixaJvMNX/lSwmw8SJi/2yyYe3Gh33duP6yLH XOv0Os2k1CBguRbrwZzfFtrRd4HSx80+nweXub5IT6fIpxzIoD0YaLuNa28sHccn 0ZPPBQdkOMQ= =4gYQ -----END PGP SIGNATURE-----
--- End Message ---
