Bug#947198: marked as done (sa-exim: CVE-2019-19920)

Debian Bug Tracking System Sat, 08 Feb 2020 15:12:55 -0800

Your message dated Sat, 08 Feb 2020 23:08:24 +0000
with message-id <e1j0zd6-000ain...@fasolo.debian.org>
and subject line Bug#947198: fixed in sa-exim 4.2.1-19
has caused the Debian Bug report #947198,
regarding sa-exim: CVE-2019-19920
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
947198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947198
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: sa-exim
Version: 4.2.1-16
Severity: normal

Dear Maintainer,

After upgrading SA (security update, 3.4.2-1~deb9u2) i got on logs a flood of:

 Dec 16 10:04:53 vdmpp1 spamd[15196]: rules: failed to run GREYLIST_ISWHITE 
test, skipping:
 Dec 16 10:04:53 vdmpp1 spamd[15196]:  (Insecure dependency in eval while 
running with -T switch at 
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 76.
 Dec 16 10:04:53 vdmpp1 spamd[15196]: )

probably, the security changes added into the upgraded SA 'broke' something on 
sa-exim.

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sa-exim depends on:
ii  debconf [debconf-2.0]                        1.5.61
ii  exim4-daemon-heavy [exim4-localscanapi-2.0]  4.89-2+deb9u6
ii  libc6                                        2.24-11+deb9u4
ii  libnetaddr-ip-perl                           4.079+dfsg-1+b1
ii  spamc                                        3.4.2-1~deb9u2

Versions of packages sa-exim recommends:
ii  perl  5.24.1-3+deb9u5

Versions of packages sa-exim suggests:
ii  spamassassin  3.4.2-1~deb9u2

-- debconf information:
  sa-exim/purge_spool: false

--- End Message ---

--- Begin Message ---

Source: sa-exim
Source-Version: 4.2.1-19

We believe that the bug you reported is fixed in the latest version of
sa-exim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Magnus Holmgren <holmg...@debian.org> (supplier of updated sa-exim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 08 Feb 2020 22:53:50 +0100
Source: sa-exim
Architecture: source
Version: 4.2.1-19
Distribution: unstable
Urgency: medium
Maintainer: Magnus Holmgren <holmg...@debian.org>
Changed-By: Magnus Holmgren <holmg...@debian.org>
Closes: 946829 947198
Changes:
 sa-exim (4.2.1-19) unstable; urgency=medium
 .
   * no_eval.patch: [CVE-2019-19920] Manually parse option string in
     Greylisting plugin, avoiding use of eval() (Closes: #946829, #947198).
   * Bump Standards-Version to 4.5.0.
Checksums-Sha1:
 c480985df56479605a5ca15ddba034086b805c53 1820 sa-exim_4.2.1-19.dsc
 ce2ef1ce8674a2c8b21e3214722a4e1ea82ac2af 28216 sa-exim_4.2.1-19.debian.tar.xz
 e4dadc4d7cf301dea1bd5bd78c6e7da56a6b6daf 5904 sa-exim_4.2.1-19_source.buildinfo
Checksums-Sha256:
 e1bba78dc7f8aa47ca64897878acf269d084d2d4f2a8fdccefc735a63308a982 1820 
sa-exim_4.2.1-19.dsc
 f36f013da6d4069625b4c4d8d19683ee386eee141e6689b4a2c2eed3b338b26e 28216 
sa-exim_4.2.1-19.debian.tar.xz
 2abd7efa5da3d95ac496faa3ae99301393e7daa865624a91ed73d76ff9d3ef2c 5904 
sa-exim_4.2.1-19_source.buildinfo
Files:
 e1914000ea76aa178d729ac33b8d5b0d 1820 mail optional sa-exim_4.2.1-19.dsc
 7b0e4562dda375436bdcd7a0eb35cf46 28216 mail optional 
sa-exim_4.2.1-19.debian.tar.xz
 6f0fdeaa29ada1fd8b356e09324fd925 5904 mail optional 
sa-exim_4.2.1-19_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEzSoHOzhhVBcKQILo1PIZv+yZhIkFAl4/NQkACgkQ1PIZv+yZ
hInJyQ/9FTRIK0QHRD/77bE2tlgIyk2YYuJkWXbsd9IIOkmXO2J8n+r0xOpRyQs/
3dcdfE4sbTUGpFkjbQsH9JBpNdY19EXUKnq559BphNroFLhe9wlRHsh5L+XnkzaY
N9auZAsLi2PEqLMYFJ61fPTdVAMr/TGaCIkDdILLuIJnUaIjT0HdoOr8sqiV8L5t
iMPcd4wca3mYhNWZqUrKkJ71ECEh/LvyhoYbV4HL7grmm8XawwzAyHd5GB8QRTjW
3cewBw6ZmWLGrtGZUkZCtH9BKz5GeV8jSxv+qvs73S1GdcZJaJ6WU36R38uCXFPi
IKYrLcfNAoK9kFQIkkGYoD2Nu7OLJ6RkW9YCTIQj+ftD6jQuq1Cd4J5C2Vt42+8k
xHjN7keX5YJ+ecfniHTCnEZHg+A6OY6IbSbzUiMnRzlzpZeo5az/YzggzfwQ49wA
TildWCM4KVsr8+8Wa5d6YdfGF+Z6ZLYbmDtjd7+Ubb4gh1SAwLJX4lyjuLtG1Gaa
UVmGk8tfg0AXs1rKyG0FOmsTt/rANKN/qv/E2WcLgbvQ2RJZ0xVDUkzcL76FppEn
sRytBWD/Gl4Rs4+XtsNxyZALqkcWBcklhlD8i1HUQxIlzXKMbM0/xXeSoZlXywBV
Hef90PJnISxyn9xcFsaVlaT42B0AUrqUYlWik2dDeWqzqHu0rfE=
=288w
-----END PGP SIGNATURE-----

--- End Message ---

Bug#947198: marked as done (sa-exim: CVE-2019-19920)

Reply via email to