Bug#985962: marked as done (spamassassin: CVE-2020-1946: arbitrary code execution via malicious rule configuration files)

[Debian Bug Tracking System]

Your message dated Mon, 05 Apr 2021 13:32:30 +0000
with message-id <e1ltplc-0000az...@fasolo.debian.org>
and subject line Bug#985962: fixed in spamassassin 3.4.2-1+deb10u3
has caused the Debian Bug report #985962,
regarding spamassassin: CVE-2020-1946: arbitrary code execution via malicious 
rule configuration files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
985962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985962
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: spamassassin
Version: 3.4.2-1+deb10u2
Severity: grave
Tags: security patch upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

CVE-2020-1946
Quoting from https://www.openwall.com/lists/oss-security/2021/03/24/3 :

    In Apache SpamAssassin before 3.4.5, malicious rule configuration
    (.cf) files can be configured to run system commands without any
    output or errors. With this, exploits can be injected in a number of
    scenarios.  In addition to upgrading to SA version 3.4.5, users
    should only use update channels or 3rd party .cf files from trusted
    places.

The fix was silently added to the 3.4 branch prior to 3.4.5~pre1 being
packaged for Debian, so it is already present in unstable and bullseye.

Buster remains exposed.

noah

--- End Message ---

--- Begin Message ---

Source: spamassassin
Source-Version: 3.4.2-1+deb10u3
Done: Noah Meyerhans <no...@debian.org>

We believe that the bug you reported is fixed in the latest version of
spamassassin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <no...@debian.org> (supplier of updated spamassassin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Mar 2021 15:04:43 -0700
Source: spamassassin
Architecture: source
Version: 3.4.2-1+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Noah Meyerhans <no...@debian.org>
Changed-By: Noah Meyerhans <no...@debian.org>
Closes: 985962
Changes:
 spamassassin (3.4.2-1+deb10u3) buster-security; urgency=high
 .
   * Import upstream fix for CVE-2020-1946: arbitrary code execution via
     malicious rule files. (Closes: #985962)
Checksums-Sha1:
 3cae443ea77627ded2fe2fa2be8cd2383092aa6e 2469 spamassassin_3.4.2-1+deb10u3.dsc
 add571a6b29bbd87b0ecb70e76be3c3bcae3fb67 65548 
spamassassin_3.4.2-1+deb10u3.debian.tar.xz
 a3e7eeb637a33fc7b62dcc63ffd3d58a2f471392 5521 
spamassassin_3.4.2-1+deb10u3_source.buildinfo
Checksums-Sha256:
 8bcb63eceefb8aeb398668ac675b297a0033ff142af542a42a1e2b3ed309f606 2469 
spamassassin_3.4.2-1+deb10u3.dsc
 9337aa963f531fffd297ebc2488f18ba705279ef39a3a79de8ab88e9d66161f4 65548 
spamassassin_3.4.2-1+deb10u3.debian.tar.xz
 1ae506c93329fa216f89a1b8c542cafbf31df2be544f6c7c190cbb1df8d93ba1 5521 
spamassassin_3.4.2-1+deb10u3_source.buildinfo
Files:
 63c2eb11bf17b3dcbc5b3e578588918b 2469 mail optional 
spamassassin_3.4.2-1+deb10u3.dsc
 398fe0a1e688bfacc2c5052c4fca00b4 65548 mail optional 
spamassassin_3.4.2-1+deb10u3.debian.tar.xz
 6dc1a8a705e13ff33c275b99463771d4 5521 mail optional 
spamassassin_3.4.2-1+deb10u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmBehAkRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQV68+Bn2yWDOUAA/+K3gBVjQkXXPAeVI3IHFcRSvc2w84oFxY
ouQc9uz4Xo6sWPf695t2i5PISChYSZItylku69viGriRt8oRuN9aYXHJjGIIbbKj
Z17jxgZsyXWVluIuYRIHPQNcKJ8UKiQHhe1sTVOMoXr7kgQcgbWYfZ58/eSRXlrt
f3HVWVOy2KEj6qxwEcLs25z7ot6DyJkw1KHAA0cZ2QVeMYh/u7dzFEpkrBr9I2Zl
elp4lIV8vLO70mx1rWl4MVbyxtsNlJQowIKTrG2PEv7PrWAyF1HsUYq71J1av4kd
AsW32LIrIqjV0lHT5vxtkoIQt486BL2puuah/28RceC62XD1LoBuam6olvJPx8a2
F+3bq3xBxHxlGx7kyw66syjKqnUYbpB6iMgBjVG+AbP9rSmULzJ5IS4/n8AnmFhu
3rs1b5ZFtTo+4pcqRaujat1LaTiovOTbm2aGDKj7yjZWl8BEmJk4nnK/RfLuTMt7
WAhmGYG6GJNjZCK4bSe1p2TU6KCCj9aHUqGJ+9LYP3M9dg0cpqwzDiWlhko2Nr4J
NxuPBXkuAkoXbtkH5CHfzLUz6b6AwDcaSkti3wxQIm2gDlw7plOTD4Daboa2VvvF
wyQMu2le6jIICtD5dcBRMv7x6wlz5cJfa4nOi5OudhU0BekCeo3nxuKW+vVID/5k
vg/rMPl5Uwo=
=F5Ru
-----END PGP SIGNATURE-----

--- End Message ---