Your message dated Sat, 14 Dec 2019 20:47:10 +0000 with message-id <e1igeji-0009yt...@fasolo.debian.org> and subject line Bug#946652: fixed in spamassassin 3.4.2-1+deb10u1 has caused the Debian Bug report #946652, regarding spamassassin: CVE-2018-11805: arbitrary code execution via malicious sa-update servers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 946652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946652 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: spamassassin Version: 3.4.2-1 Severity: grave Tags: security upstream fixed-upstream pending Per upstream's release announcement: Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue of security note where nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. This issue has been assigned CVE id CVE-2018-11805 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805 -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: spamassassin Source-Version: 3.4.2-1+deb10u1 We believe that the bug you reported is fixed in the latest version of spamassassin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 946...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated spamassassin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 12 Dec 2019 20:26:44 -0800 Source: spamassassin Binary: sa-compile spamassassin spamc spamc-dbgsym Architecture: source all amd64 Version: 3.4.2-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Noah Meyerhans <no...@debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Description: sa-compile - Tools for compiling SpamAssassin rules into C spamassassin - Perl-based spam filter using text analysis spamc - Client for SpamAssassin spam filtering daemon Closes: 946652 946653 Changes: spamassassin (3.4.2-1+deb10u1) buster-security; urgency=high . * Security update to address CVE-2018-11805. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. (Closes: 946652) * Security update to address CVE-2019-12420. Messages can be crafted in a way to use excessive resources, resulting in a denial of service. (Closes: 946653) Checksums-Sha1: 332eb8485bb1ddc31288d2114a53466845cc3e96 2469 spamassassin_3.4.2-1+deb10u1.dsc e3fae9b87c40aa0355333e91af5156cecedae457 60448 spamassassin_3.4.2-1+deb10u1.debian.tar.xz dcce34c16685a2ec2178438ba438941e21a36e83 48104 sa-compile_3.4.2-1+deb10u1_all.deb ae77da077232903b591a602f6a6f094cd5eebaec 1125576 spamassassin_3.4.2-1+deb10u1_all.deb d33e004bd4fc04bfe694e0f426501524f1a49998 6607 spamassassin_3.4.2-1+deb10u1_amd64.buildinfo e912652da5f0874e2d54b339b2986bd1ff248379 51660 spamc-dbgsym_3.4.2-1+deb10u1_amd64.deb 6080d4d679456aacda12abdc9002f5fcf2572ada 82988 spamc_3.4.2-1+deb10u1_amd64.deb Checksums-Sha256: 870b5ce3c536e13ce00659c59f65bc3fa9d4b142931edf4629f1f1c5aaa91437 2469 spamassassin_3.4.2-1+deb10u1.dsc 725395c239eb4d3826496234a8ccbf83302ab8797cce3adf6a693e71bb4ab761 60448 spamassassin_3.4.2-1+deb10u1.debian.tar.xz f2d032a76beb4aaf3354815789b68ac678a12804e64f10b7fbbca94be7aa26f0 48104 sa-compile_3.4.2-1+deb10u1_all.deb 03eeee00efb2d85a60dee41a03cfe197500f36a10f0ec8ee01a9f447900b6f17 1125576 spamassassin_3.4.2-1+deb10u1_all.deb 4e6c5fb9bc90fef104f2089f5189b0970bbd27e5aec3fca89b3ee4649ba6bc2b 6607 spamassassin_3.4.2-1+deb10u1_amd64.buildinfo 750fdcb5b425fb97d24d07a4a0dc35917854a7be9456fed13a7f8abed679497b 51660 spamc-dbgsym_3.4.2-1+deb10u1_amd64.deb 346b28040069c2f46983693e64e5fe0470c6c27c9ad31b19a65d0a36a77b92fe 82988 spamc_3.4.2-1+deb10u1_amd64.deb Files: c1377837beae6e63f5cac1da45d5ef11 2469 mail optional spamassassin_3.4.2-1+deb10u1.dsc 4443ad2677d31bd787499a4c00dad7ea 60448 mail optional spamassassin_3.4.2-1+deb10u1.debian.tar.xz 98c7a8574d827310d0d457ff05b9a652 48104 mail optional sa-compile_3.4.2-1+deb10u1_all.deb 5ea0083e91e100819fccc10acc2aa5ad 1125576 mail optional spamassassin_3.4.2-1+deb10u1_all.deb 9f2e4b526d4da70c25efdc5b3be05167 6607 mail optional spamassassin_3.4.2-1+deb10u1_amd64.buildinfo 3f85e8994633b02670c71809954c0b28 51660 debug optional spamc-dbgsym_3.4.2-1+deb10u1_amd64.deb 1a223d35034fd586a2f4ba2ec1e1ff75 82988 mail optional spamc_3.4.2-1+deb10u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl3z02gRHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDPIpA//YUY3JqSxCmJKFQq9g/1nRVwUdro+2rYi u7NN3/Ko0H9e2OPIFgyJOB4t2ulTy1l0Sxr2XH/Q20I35dXL7vy6sS7Socv+HmLD /qgJ6txy6Ao4JG718anpJxe56/UPYEG4mha9AmDlEgdIDvLBemW3KHgUXlmADJYq Ayor0US4eETnKsyigGgtpqv+NefRemarOOamSNkSwWGzDXMqU78LBWhwFyZ3z0/I vGBz5Cz7WyWJI4Ui5wPQ/2Jv2IibxhDSY3apRKVkgYIPrpyKTjUzcxpPUA49OxZQ HLOPsxT4rCg6YbKsP9OgLKvY8Grw7BjxAT3bs9fIiW7RuzgdwhCo2SVxv1fNkys/ 7mQxIoVbiE+WoEDUvaylwu7jCtnyV9YLiD7gt7tBVJx4DW41wBRktx2gPLWgrjm5 UlK+cf6EAC0yZoN4OvDC5qPE9Gb/8jQ7361CiuNJibqVCeD+wWnFlgw0JjLloM/t qRwheKd1QjV1EGjfgK+/SH3NIe/7nLKIorzb08I6j5+TnxtDTwFOqvOjkm9ixTz0 4LHeRtrGdG/n+pfE220NF5Lyxtk8Uo9wo/FSr/TcAsG9t7Aq6Gtt4YKRa7FgfgvI x61LzQmIuigSYhnmVSZYRb9RLo8exHjQuZ+EjPk7XaXrVPI3I5cj60P3qo4QToqI 0bJ075xBsAQ= =ctWF -----END PGP SIGNATURE-----
--- End Message ---
