group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1861534] Re: Spamassassin needs updated to 3.4.4 to reflect security fixes

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Wed, 05 Feb 2020 17:46:49 -0000
Reply-to: Bug 1861534 <1861534@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Security updates were already released for these two CVEs here:

https://usn.ubuntu.com/4265-1/

** Changed in: spamassassin (Ubuntu Xenial)
       Status: New => Fix Released

** Changed in: spamassassin (Ubuntu Bionic)
       Status: New => Fix Released

** Changed in: spamassassin (Ubuntu Disco)
       Status: New => Invalid

** Changed in: spamassassin (Ubuntu Disco)
       Status: Invalid => Won't Fix

** Changed in: spamassassin (Ubuntu Eoan)
       Status: New => Fix Released

** Changed in: spamassassin (Ubuntu Trusty)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1861534

Title:
  Spamassassin needs updated to 3.4.4 to reflect security fixes

Status in spamassassin package in Ubuntu:
  Triaged
Status in spamassassin source package in Trusty:
  Fix Released
Status in spamassassin source package in Xenial:
  Fix Released
Status in spamassassin source package in Bionic:
  Fix Released
Status in spamassassin source package in Disco:
  Won't Fix
Status in spamassassin source package in Eoan:
  Fix Released
Status in spamassassin source package in Focal:
  Triaged

Bug description:
  lsb_release -rd
  Description:	Ubuntu 18.04.4 LTS
  Release:	18.04

  apt-cache policy spamassassin
  spamassassin:
    Installed: 3.4.2-0ubuntu0.18.04.2
    Candidate: 3.4.2-0ubuntu0.18.04.2

  The current version of Spamassassin is 3.4.2, the newest version,
  3.4.4 fixes two security issues:

  CVE-2020-1930
  A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. 

  CVE-2020-1931
  A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. 

  Request that Spamassassin be updated to the latest version, 3.4.4, as
  soon as possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1861534/+subscriptions