Bug 243744 - [PATCH] Update spamassassin to 3.4.4 CVE-2020-1930
Summary: [PATCH] Update spamassassin to 3.4.4 CVE-2020-1930
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Niclas Zeising
URL: https://svn.apache.org/repos/asf/spam...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-30 22:11 UTC by Cy Schubert
Modified: 2020-03-13 20:18 UTC (History)
1 user (show)

See Also:
zeising: maintainer-feedback+
zeising: merge-quarterly?

Attachments
Update spamassassin to 3.4.4 (944 bytes, patch)
2020-01-30 22:11 UTC, Cy Schubert 		cy: maintainer-approval?
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer freebsd_triage 2020-01-30 22:11:56 UTC 
Created attachment 211208 [details]
Update spamassassin to 3.4.4

Apache SpamAssassin 3.4.4 was recently released [1], and fixes an issue
of security note where nefarious rule configuration (.cf) files can be
configured to run system commands similar to CVE-2018-11805.  With this
bug unpatched, exploits can be injected in a number of scenarios
including the same privileges as spamd is run which may be elevated
though doing so remotely is difficult.  In addition to upgrading to SA
3.4.4, we again recommend that users should only use update channels or
3rd party .cf files from trusted places.  If you cannot upgrade, do not
use 3rd party rulesets, do not use sa-compile and do not run spamd as an
account with elevated privileges.

This issue has been assigned CVE id CVE-2020-1930 [2]

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org.  For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1930
-- 

Kevin A. McGrail
KMcGrail@Apache.org
Comment 1 commit-hook freebsd_committer freebsd_triage 2020-01-31 16:07:32 UTC 
A commit references this bug:

Author: zeising
Date: Fri Jan 31 16:06:56 UTC 2020
New revision: 524723
URL: https://svnweb.freebsd.org/changeset/ports/524723

Log:
  mail/spamassassin: Update to 3.4.4

  Update mail/spamassassin to 3.4.4.  This fixes several security
  vulnderabilities.

  Changelog:
  - Improvements to OLEVBMacro
  - Fix for CRLF handling with SpamAssMilter & DKIM
  - Small fix for a regexp to provide Perl 5.8.x compatability again
  - Increased fns_extrachars default value to 50
  - Fixed nosubject and maxhits tflags when sa-compile is used
  - Limited the Bayes parsed token count
  - Improvements to whitespace trimming

  PR:		243744
  Submitted by:	cy
  MFH:		2020Q1
  Security:	c86bfee3-4441-11ea-8be3-54e1ad3d6335

Changes:
  head/mail/spamassassin/Makefile
  head/mail/spamassassin/distinfo
Comment 2 Niclas Zeising freebsd_committer freebsd_triage 2020-01-31 16:09:16 UTC 
Committed.  Pending MFH.

Thanks for the submission Cy!
Comment 3 Delta Regeer 2020-02-18 05:33:06 UTC 
What's the status of merging this from head?
Comment 4 Niclas Zeising freebsd_committer freebsd_triage 2020-02-21 08:53:57 UTC 
(In reply to Bert JW Regeer from comment #3)

I have never gotten any approval for that.  I'll ask again.
Comment 5 Cy Schubert freebsd_committer freebsd_triage 2020-03-13 20:18:58 UTC 
This or something like it was committed.