Your message dated Sun, 02 Feb 2020 13:47:53 +0000 with message-id <e1iyfbn-000878...@fasolo.debian.org> and subject line Bug#950258: fixed in spamassassin 3.4.2-1~deb9u3 has caused the Debian Bug report #950258, regarding src:spamassassin: arbitrary code execution when processing rules files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:spamassassin Version: 3.4.2-1+deb10u1 Severity: grave Tags: security CVE-2020-1930: Apache SpamAssassin 3.4.4 was recently released, and fixes an issue of security note where nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. CVE-2020-1931: Apache SpamAssassin 3.4.4 was recently released, and fixes an issue of security note where nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. sid and bullseye are not affected as 3.4.4-rc1 contains the fixes
--- End Message ---
--- Begin Message ---Source: spamassassin Source-Version: 3.4.2-1~deb9u3 We believe that the bug you reported is fixed in the latest version of spamassassin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated spamassassin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 30 Jan 2020 13:09:03 -0800 Source: spamassassin Binary: spamassassin spamc sa-compile Architecture: source all amd64 Version: 3.4.2-1~deb9u3 Distribution: stretch-security Urgency: medium Maintainer: Noah Meyerhans <no...@debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Description: sa-compile - Tools for compiling SpamAssassin rules into C spamassassin - Perl-based spam filter using text analysis spamc - Client for SpamAssassin spam filtering daemon Closes: 950258 Changes: spamassassin (3.4.2-1~deb9u3) stretch-security; urgency=medium . * Security update to address - CVE-2020-1930. Arbitrary code execution via malicious rule files. - CVE-2020-1931. Arbitrary code execution via malicious rule files. (Closes: #950258) Checksums-Sha1: 4891b552747f3c3229458192c64875365248b4c6 2440 spamassassin_3.4.2-1~deb9u3.dsc 1136b93dd5a316a23dc1f437bcb4baa9292f885f 60540 spamassassin_3.4.2-1~deb9u3.debian.tar.xz f008e62114432a8a50b6fa607e5f365b7c9b163e 47794 sa-compile_3.4.2-1~deb9u3_all.deb c926bd7e48354c50bd94190ae1b829618bc38ae4 1123144 spamassassin_3.4.2-1~deb9u3_all.deb 18d0040b01088aa51e3e5aa9e81ef595be8d26db 7046 spamassassin_3.4.2-1~deb9u3_amd64.buildinfo cce4732d3d6ff2cc7c334d058748cc9b91aff75e 43824 spamc-dbgsym_3.4.2-1~deb9u3_amd64.deb 014b00741b043bfb34e1957a5a06a557e09c5983 82926 spamc_3.4.2-1~deb9u3_amd64.deb Checksums-Sha256: bb7224848fdaa0bbfcb66a2440e962676293d8b0a6d231e03a6f4250e5a23e47 2440 spamassassin_3.4.2-1~deb9u3.dsc 0cdaf99fed841195c7b0d7671fd121fc7ee451560d5eea51e6a19722f8e938b8 60540 spamassassin_3.4.2-1~deb9u3.debian.tar.xz 125034874c511feb264f27bb4fe4cfbb4db7ffe9b9b324b11a403162b27eec99 47794 sa-compile_3.4.2-1~deb9u3_all.deb dbaa55fbb34f0180fa053530b83d4dfa78eec415ba7706e1dfa88722fd384358 1123144 spamassassin_3.4.2-1~deb9u3_all.deb ace14b50c27d353f63fc7dc84394a094a4350007e0c5c05b00e3e425d43ff0f8 7046 spamassassin_3.4.2-1~deb9u3_amd64.buildinfo a80df42a5fd2c15828e6c69d793fd915c87ecde463f91cb968918c8a00f46bdd 43824 spamc-dbgsym_3.4.2-1~deb9u3_amd64.deb a76409962d89b9b75456c9e6daa300906aabe5e7fe5f45ed6c320bb5dda7b7e6 82926 spamc_3.4.2-1~deb9u3_amd64.deb Files: 69d271d93f00db60f8387e11a52096f9 2440 mail optional spamassassin_3.4.2-1~deb9u3.dsc 9597eeaa4637853da9d1ecce1f0bcc1f 60540 mail optional spamassassin_3.4.2-1~deb9u3.debian.tar.xz 167b01a3e6482dd46da570a56b5c2f40 47794 mail optional sa-compile_3.4.2-1~deb9u3_all.deb f60182ab630e91b385df5de29f0687e8 1123144 mail optional spamassassin_3.4.2-1~deb9u3_all.deb 4f67880032e839025c90a3f2de3e0ee6 7046 mail optional spamassassin_3.4.2-1~deb9u3_amd64.buildinfo 18126f642d7e7f7f8127833d573c9a91 43824 debug extra spamc-dbgsym_3.4.2-1~deb9u3_amd64.deb 7ba2fa960ba85fd0d8f6ffc042982777 82926 mail optional spamc_3.4.2-1~deb9u3_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl4zTN0ACgkQV68+Bn2y WDNWxxAAqCCQwoQntrgiN3ypyzSdAkBiiOlyfH3/NPTO3djcIWIOq9Sxb6R51S/8 j1LZ4UG1WrAHjrdoCa94Xmn7hq6MaqxQvEM/J4/KjqsJ8eSj+DRryOetS+192joQ +mpmi93nmmCuoR7clUBDzmPy5fg1d/AEU6er8d2lxif6qDFtpWPP+1Ug9LgZ0ZfO LSHipgXb7dMoTWtY118KqanNi8Mm4epY+hjEKx7qB5WKhG2TF9e2+7GE8fngFDie vhCiL4eOCzsBWd3ziJtDa+DpnxxHeZ3z4QdT89AvQjZYn69MSeqJvi5StZKAd7K7 /dLTwQvqrjHg6EIm8YE1lfzCC8+sBsS148T16EsV6IMUG7XIuuwlJh3Bu2iuSRMi FP1lA5nQdfxdkpU1UUjyX7QQbximlkzZQ9YSd+sPDoKXxafB/eFpOntLdSWtSZpj Lb6z0twcAgokfWPZkn5jJkFbjM/nqZeVtvAAHnDnH+K2IYmCuMghQh+iaMCegc8F H9No/m6xDncXB4PmpmZe7oVbCIJggYfu5zw7lqxZFj75edlLxVNARRpE+D8opHIu AoaxZJV4BHQtwNKIAbnacCI0mHEGPaIlC3sd/oRJHv2qH25n8t9B+U6bItB4bDnF CdbM4EZKGNK5qHkdxVcCsieAa5fNmVt8q5JILDD3bdb5nL70EMw= =4061 -----END PGP SIGNATURE-----
--- End Message ---
