Bug 242618 - [PATCH] Update mail/spamassassin to 3.4.3
Summary: [PATCH] Update mail/spamassassin to 3.4.3
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Cy Schubert
URL: https://spamassassin.apache.org/news....
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-13 06:24 UTC by Cy Schubert
Modified: 2020-03-13 20:19 UTC (History)
2 users (show)

See Also:


Attachments
patch (2.81 KB, patch)
2019-12-13 06:28 UTC, Cy Schubert
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer 2019-12-13 06:24:32 UTC
From the quoted URL above:

2019-12-11: Apache SpamAssassin 3.4.3 has been released! Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there is also one new plugin and there are bug fixes for two CVEs:

    CVE-2019-12420 for Multipart Denial of Service Vulnerability
    CVE-2018-11805 for nefarious CF files can be configured to run system commands without any output or errors.
Comment 1 Cy Schubert freebsd_committer 2019-12-13 06:28:54 UTC
Created attachment 209908 [details]
patch

Update patch.

CVE-2018-11805 is an RCE. Update should be expedited.
Comment 2 Cy Schubert freebsd_committer 2019-12-13 13:13:56 UTC
Niclas Zeising asked, by private email, that I commit this. It has been committed to my git tree and I will git svn dcommit when a vuxml entry has been written up.
Comment 3 commit-hook freebsd_committer 2019-12-13 20:03:39 UTC
A commit references this bug:

Author: cy
Date: Fri Dec 13 20:03:34 UTC 2019
New revision: 520065
URL: https://svnweb.freebsd.org/changeset/ports/520065

Log:
  Update 3.4.2 --> 3.4.3

  2019-12-11: Apache SpamAssassin 3.4.3 has been released! Apache
  SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare
  to move to version 4.0.0 with better, native UTF-8 handling. There are a
  number of functional patches, improvements as well as security reasons to
  upgrade to 3.4.3. In this release, there is also one new plugin and there
  are bug fixes for two CVEs:

      CVE-2019-12420 for Multipart Denial of Service Vulnerability
      CVE-2018-11805 for nefarious CF files can be configured to run system
                     commands without any output or errors.

  PR:		242618
  Submitted by:	cy
  Reported by:	cy
  Approved by:	zeising (maintainer)
  MFH:		2019Q4
  Security:	CVE-2019-12420, CVE-2018-11805

Changes:
  head/mail/spamassassin/Makefile
  head/mail/spamassassin/distinfo
  head/mail/spamassassin/pkg-plist
Comment 4 Bert JW Regeer 2020-02-18 05:35:10 UTC
This ticket was fixed, and most recently was superseded with an upgrade to 3.4.4. So it may be closed :-)
Comment 5 Cy Schubert freebsd_committer 2020-03-13 20:19:48 UTC
Superceeded by 3.4.4.