Your message dated Sat, 14 Dec 2019 20:47:48 +0000 with message-id <e1igekk-000a8d...@fasolo.debian.org> and subject line Bug#946652: fixed in spamassassin 3.4.2-1~deb9u2 has caused the Debian Bug report #946652, regarding spamassassin: CVE-2018-11805: arbitrary code execution via malicious sa-update servers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 946652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946652 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: spamassassin Version: 3.4.2-1 Severity: grave Tags: security upstream fixed-upstream pending Per upstream's release announcement: Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue of security note where nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. This issue has been assigned CVE id CVE-2018-11805 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805 -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: spamassassin Source-Version: 3.4.2-1~deb9u2 We believe that the bug you reported is fixed in the latest version of spamassassin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 946...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Noah Meyerhans <no...@debian.org> (supplier of updated spamassassin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 07 Dec 2018 22:26:08 -0800 Source: spamassassin Binary: spamassassin spamc sa-compile Architecture: source all amd64 Version: 3.4.2-1~deb9u2 Distribution: stretch-security Urgency: high Maintainer: Noah Meyerhans <no...@debian.org> Changed-By: Noah Meyerhans <no...@debian.org> Description: sa-compile - Tools for compiling SpamAssassin rules into C spamassassin - Perl-based spam filter using text analysis spamc - Client for SpamAssassin spam filtering daemon Closes: 946652 946653 Changes: spamassassin (3.4.2-1~deb9u2) stretch-security; urgency=high . * Security update to address CVE-2018-11805. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. (Closes: 946652) * Security update to address CVE-2019-12420. Messages can be crafted in a way to use excessive resources, resulting in a denial of service. (Closes: 946653) Checksums-Sha1: eea3deb322adbb275069b80a9710d421b24bd422 2465 spamassassin_3.4.2-1~deb9u2.dsc 7dad2393bd41949f6c0a06a431c795a710be803c 59980 spamassassin_3.4.2-1~deb9u2.debian.tar.xz febacf3974238b1a425fc9573e518ad4c9e14541 47718 sa-compile_3.4.2-1~deb9u2_all.deb 7868e34ec3770069cfc9a2fd21b7b8313177abd3 1123734 spamassassin_3.4.2-1~deb9u2_all.deb c686b1e4f5004e87d3e0b8242ec78a67de0231ce 7071 spamassassin_3.4.2-1~deb9u2_amd64.buildinfo 1434798a71ffd3ed96aecfb4e69edddd8a43ba50 43818 spamc-dbgsym_3.4.2-1~deb9u2_amd64.deb 15c75c8e953b9e0957ef295df1634852694fbf4e 82868 spamc_3.4.2-1~deb9u2_amd64.deb Checksums-Sha256: c19b8c8cde3a65af2d82bcaf0c142a17d1b9237de46dcbf3a026b1e25dbed681 2465 spamassassin_3.4.2-1~deb9u2.dsc 30141e1158526b59cda975fa41890f39e7a420eb386152074b03b3ce72cbd750 59980 spamassassin_3.4.2-1~deb9u2.debian.tar.xz b1b4deea84042523caeed35dea95305f2595d2f7ed81fc8ed60cd5ec71dd26d7 47718 sa-compile_3.4.2-1~deb9u2_all.deb 9ea2a7b2f564fc99d00c840acb61b323770d48656e092788334fded33dffffd2 1123734 spamassassin_3.4.2-1~deb9u2_all.deb 26ae4531f4dac8c82ec96ef95d1f86b8ca3159dc895aa81e8c166f3edfb73ae0 7071 spamassassin_3.4.2-1~deb9u2_amd64.buildinfo cf7e2d894dc45ff6d59175663629a05f603579bbfe4b4006cd71090e2c262421 43818 spamc-dbgsym_3.4.2-1~deb9u2_amd64.deb ad42f238a82edff350e15f03bb24fb38515dfda9805ef282fcebb16af130f527 82868 spamc_3.4.2-1~deb9u2_amd64.deb Files: 2488cc2b0db89c942109576ccd4d2a45 2465 mail optional spamassassin_3.4.2-1~deb9u2.dsc 7e187d5f1e1f712ac9b55ae0856fd3e2 59980 mail optional spamassassin_3.4.2-1~deb9u2.debian.tar.xz 805d7ceb995cad0ef885696750c5f1e4 47718 mail optional sa-compile_3.4.2-1~deb9u2_all.deb 1031d3e778851eaab4438f4ffa3a69fc 1123734 mail optional spamassassin_3.4.2-1~deb9u2_all.deb 064da58da10320c3a7ab9755ffdbf3a0 7071 mail optional spamassassin_3.4.2-1~deb9u2_amd64.buildinfo a2930bae2376f7595b2758271a1b4c84 43818 debug extra spamc-dbgsym_3.4.2-1~deb9u2_amd64.deb 0a988ca87bc05a5338dcfecd7a1ee3c4 82868 mail optional spamc_3.4.2-1~deb9u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAl3z1CURHG5vYWhtQGRl Ymlhbi5vcmcACgkQV68+Bn2yWDOZARAAyjHfLUhRBi1H6HH47lTpOMunfrxUO8VI GMQiGC6mwRjDLyoCpVPQLdM+CpkZ4MzvuUoVSMzC/d5jHlDJQwQ0jZj2WT6VQPDm tEoW1fYXuT1sRdiac+2cAWWLaKxokULvhAP5pcMTG4iEfSY0D7zfDeHbXcznEKW2 gyFQQNTlbq5gjSoodV9Gxuu8tl/5RpZFLm/60WXnlljWT4DFfpjuz/qTTszD3Upl bTvd2aVo2ZRSR3H9LCp2k2mbYfgH3IDlY8vonD5kO6qtF/nFAYYp+aIAn3WZpwwn vLG3VScID0j0BddL6wkUp/r3P6vwInyCbnf0SYw9Cnj5Izw8Hoi07bl+2r5va9p3 g+NmxsZoqBxvHWrLfKXR+H+VOibXO0JNf02rC911S6TVCUGWNf0UhDyMBerlyzBR c6RL1VYyXHnQj52xifjbpZcrvklRpQm2mP3jPDUbCr3vozgDtPwAhmk7BlKl8Z/A O6Tk833Lmz1SLdCtoX5VK69B7efsM2lGSxV7sVvRMExU9Mu5SXNcFWveJ+MrPcgl kZ3fnTaxCDIh+VGryhJNczvDJdqrLZ7IgSz50X3f/hEcoH3d+rynSkUigJ3cx+Ru MXMxcwzNfk6CC2DnND3mBDjWL4uKW8/OGbl0MtthKks/L3RHbgrDJxtS/pmu5unB HjmCjCmLe0w= =U0HD -----END PGP SIGNATURE-----
--- End Message ---
