[Bug 1801906] [NEW] Backport 3.4.2 CVE fixes to stable releases

Tue, 06 Nov 2018 02:51:00 -0800 

*** This bug is a security vulnerability ***

Public security bug reported:

Release 3.4.2 includes a number of CVE fixes.

These need to be backported to other stable releases.

> spamassassin (3.4.2-1) unstable; urgency=medium
> 
>   * New upstream release fixes multiple security vulnerabilities
>     - CVE-2017-15705: Denial of service issue in which certain unclosed
>       tags in emails cause markup to be handled incorrectly leading to
>       scan timeouts. (Closes: 908969)
>     - CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
>       script.
>     - CVE-2018-11780: potential Remote Code Execution bug with the
>       PDFInfo plugin. (Closes: 908970)
>     - CVE-2018-11781: local user code injection in the meta rule syntax.
>       (Closes: 908971)
>     - BayesStore: bayes_expire table grows, remove_running_expire_tok not
>       called (Closes: 883775)
>     - Fix use of uninitialized variable warning in PDFInfo.pm
>       (Closes: 865924)
>     - Fix "failed to parse plugin" error in
>       Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
>   * Don't recursively chown /var/lib/spamassassin during postinst.
>     (Closes: 889501)
>   * Reload spamd after compiling rules in sa-compile.postinst.
>   * Preserve locally set ENABLED=1 setting from /etc/default/spamassassin
>     when installing on systemd-based systems. (Closes: 884163, 858457)
>   * Update SysV init script to cope with upstream's change to $0.
>   * Remove compiled rules upon removal of the sa-compile package.
>   * Ensure that /var/lib/spamassassin/compiled doesn't change modes with
>     the cron job's execution. (Closes: 890650)
>   * Update standards version to 4.2.1
>   * Create /var/lib/spamassassin via dpkg, rather than the postinst.
>     (Closes: 891833)
> 
>  -- Noah Meyerhans <no...@debian.org>  Sun, 30 Sep 2018 23:44:58 -0700

** Affects: spamassassin (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1801906

Title:
  Backport 3.4.2 CVE fixes to stable releases

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1801906/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to