group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #26940
[Bug 1796863] Re: Upgrade to version 3.4.2 for Bionic
This bug was fixed in the package spamassassin - 3.4.2-0ubuntu0.16.04.1
---------------
spamassassin (3.4.2-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: Update to 3.4.2 to fix multiple security issues and
support new rule update signatures (LP: #1796863)
- debian/patches/*patch: sync patches from 3.4.2-1 package.
- add pkgrules orig tarball from 3.4.2-1 package.
- debian/spamassassin.{init,preinst}: properly handle process name
change in spamassassin 3.4.2.
- CVE-2017-15705
- CVE-2018-11780
- CVE-2018-11781
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Thu, 25 Oct 2018
12:37:49 -0400
** Changed in: spamassassin (Ubuntu Xenial)
Status: Confirmed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1796863
Title:
Upgrade to version 3.4.2 for Bionic
Status in spamassassin package in Ubuntu:
Fix Released
Status in spamassassin source package in Trusty:
Confirmed
Status in spamassassin source package in Xenial:
Fix Released
Status in spamassassin source package in Bionic:
Confirmed
Status in spamassassin source package in Cosmic:
Fix Released
Bug description:
lsb_release -rd
Description: Ubuntu 18.04.1 LTS
Release: 18.04
apt-cache policy spamassassin
spamassassin:
Installed: 3.4.1-8build1
Candidate: 3.4.1-8build1
According to the release notes for Spamassassin 3.4.2 there have been
significant bug fixes and changes made in the newer package. Some are
noted below. Suggest that a 3.4.2 version of Spamassassin be released
for 18.04LTS.
"There is one specific pressing reason to upgrade.
Specifically, we will stop producing SHA-1 signatures for rule updates. This means that
while we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update.
*** If you do not update to 3.4.2, you will be stuck at the last ruleset
with SHA-1 signatures in the near future. ***"
"Four CVE security bug fixes are included in this release for PDFInfo.pm and
the SA core:
CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781"
CVE-2017-15705 -
"A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts."
https://launchpad.net/bugs/cve/CVE-2017-15705
CVE-2016-1238 -
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1238.html
According to the link above it appears that Bionic is not affected by this.
CVE-2018-11780 -
"A potential Remote Code Execution bug exists with the PDFInfo plugin in
Apache SpamAssassin before 3.4.2."
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11780.html
CVE-2018-11781 -
"Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta
rule syntax."
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11781.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1796863/+subscriptions
