Your message dated Sun, 02 Feb 2020 13:47:20 +0000 with message-id <e1iyfaq-0007wo...@fasolo.debian.org> and subject line Bug#950258: fixed in spamassassin 3.4.2-1+deb10u2 has caused the Debian Bug report #950258, regarding src:spamassassin: arbitrary code execution when processing rules files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:spamassassin Version: 3.4.2-1+deb10u1 Severity: grave Tags: security CVE-2020-1930: Apache SpamAssassin 3.4.4 was recently released, and fixes an issue of security note where nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. CVE-2020-1931: Apache SpamAssassin 3.4.4 was recently released, and fixes an issue of security note where nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. sid and bullseye are not affected as 3.4.4-rc1 contains the fixes
--- End Message ---
--- Begin Message ---Source: spamassassin Source-Version: 3.4.2-1+deb10u2 We believe that the bug you reported is fixed in the latest version of spamassassin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated spamassassin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 30 Jan 2020 08:50:54 -0800 Source: spamassassin Binary: sa-compile spamassassin spamc spamc-dbgsym Architecture: source all amd64 Version: 3.4.2-1+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Noah Meyerhans <no...@debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Description: sa-compile - Tools for compiling SpamAssassin rules into C spamassassin - Perl-based spam filter using text analysis spamc - Client for SpamAssassin spam filtering daemon Closes: 950258 Changes: spamassassin (3.4.2-1+deb10u2) buster-security; urgency=medium . * Security update to address - CVE-2020-1930. Arbitrary code execution via malicious rule files. - CVE-2020-1931. Arbitrary code execution via malicious rule files. (Closes: #950258) Checksums-Sha1: 4984bfe8a30b463bbacc93370101397b7bd84417 2469 spamassassin_3.4.2-1+deb10u2.dsc 737bb856643e4fb97514886ab241bee4a59e0251 65316 spamassassin_3.4.2-1+deb10u2.debian.tar.xz 968502e5faba2c59eee351c4f681e2bc081fa4cd 48172 sa-compile_3.4.2-1+deb10u2_all.deb e06c85e5e76802fd5aeba259aeba38ed3babace0 1125252 spamassassin_3.4.2-1+deb10u2_all.deb d2f8066aa6743affc9f3d49836b1473d472c0292 6607 spamassassin_3.4.2-1+deb10u2_amd64.buildinfo aaf4a589e4f29b45dc28ddfd13c2ee750b686564 51644 spamc-dbgsym_3.4.2-1+deb10u2_amd64.deb c5ea964c158b911558bab7b19a8ea557d353039c 83176 spamc_3.4.2-1+deb10u2_amd64.deb Checksums-Sha256: aa55673e46737b1e479b9275b1415060e4e713618bf616d46272f9e4311f349d 2469 spamassassin_3.4.2-1+deb10u2.dsc e0d4de636e91ebfc1416efabb49bbdf3f89f170766afcb46559deea803c00b30 65316 spamassassin_3.4.2-1+deb10u2.debian.tar.xz 9f73a21dfc40e3e94a040bc18f1a8d8f7778aa52c9fb70ee887e1ad1b25ec1a7 48172 sa-compile_3.4.2-1+deb10u2_all.deb 35f8e49235dbe7b71f56912436f2c669b2f56f43c3770dbc1715752ad5d07b6a 1125252 spamassassin_3.4.2-1+deb10u2_all.deb 8b7f1beb36dd394d352221a33a5d0f1c9c74d1584f81a0747ea4766cd6f380b4 6607 spamassassin_3.4.2-1+deb10u2_amd64.buildinfo 5ed9bd258405ffc97d70c8fb6de9798a36d65cfdd6a4fd6a782e5494be9bb93a 51644 spamc-dbgsym_3.4.2-1+deb10u2_amd64.deb 6a2ce1f7d8110c007e78493a6c994ffaa251166cfca17f19200aafb64b9d9c3a 83176 spamc_3.4.2-1+deb10u2_amd64.deb Files: 1cc850db9f283e34550000f3dd62ede5 2469 mail optional spamassassin_3.4.2-1+deb10u2.dsc c45fd839081999c5ed00be59fd513dca 65316 mail optional spamassassin_3.4.2-1+deb10u2.debian.tar.xz 85827f97012a1a3161d1bb59092335f4 48172 mail optional sa-compile_3.4.2-1+deb10u2_all.deb beef8078cabd9aab4a14a04b201526dc 1125252 mail optional spamassassin_3.4.2-1+deb10u2_all.deb f791448136dfe6b731e0ccd92f06209a 6607 mail optional spamassassin_3.4.2-1+deb10u2_amd64.buildinfo 7ae383d7effd97e6cf8ff4fa163f3572 51644 debug optional spamc-dbgsym_3.4.2-1+deb10u2_amd64.deb 5cd99e49a2a2b0e89d07fbe3276a85c0 83176 mail optional spamc_3.4.2-1+deb10u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl4zDjwRHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDN3Jw//chtVupBhBfKCOS3YyA5vfZ239s1cdvJz jEUsLbXd9PIXZ9L9WEPqbwqhAjOBJJ+gnEN/Tqd4bbtn5bwUTNu8yeED00ZMtRsU MGGja6QPJG9FcXkUvLh72Oc/bCTOoZHZO3xWgGeOX/kZWK2tXCXqwMFuyFPJtyqV 6gqUSYKfIXzEdgG2xLJ1fdqRwLHhT1EYUFYmpaQTRJWy5j+M8yUQVnPd5kLYeDsA zRi6Ji42kEJ285DpgRuUXD5zfS9enqi8Q8MFGsKCrHRG1y/eOyu2/n9wlqpQE4WM MPmoEjEbJ2r9Ycpna2zengVAr9iw/f8VrSCJa+W/DwIC01i+tfcCuUGLdGrSg10D lDbdP8upQM+WjYbnAivUMbsMB1Ng3klZ8Q0tsnDWujTkf7zWD80Lba2g3yRhq8Tn 72WtllnqOuqR6GAQq0163dvY/6U6NBWb0npcQJOGLzpTd1ykHX/Df2kHdsO6nouB 0ywZTbx15mnKEOdBaeXbL0SUYjDHX6VY168H/2g3mjlRwKYf9ZlUBbFtpjz7i74p F2oPyvpD9phKiTBN8cdjorbdk20bqkUSBaV8hMYIHLUiLFsVdGvp0nuZOxFgacL4 r8l1wtW2EHwIkmZ5d8uilkoPy4ErIoVEpcmMTJnqOWESehOPe07a5XQL0vNrhCwa 1VUa3pDosdw= =8tp9 -----END PGP SIGNATURE-----
--- End Message ---
