This patch updates mail/spamassassin to 3.4.5 fixing CVE-2020-1946. Email from apache.org below: Subject: [CVE-2020-1946] Apache SpamAssassin malicious rule configuration (.cf) files can be configured to run system commands From: Sidney Markowitz <sidney@apache.org> Date: Thu, 25 Mar 2021 05:08:23 +1300 (Wed 09:08 PDT) To: Sidney Markowitz <sidney@apache.org> (Unknown charset: <utf-8>) Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue. This issue has been assigned CVE id CVE-2020-1946 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the https://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://s.apache.org/ng9u9 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 -- Sidney Markowitz Chair, Apache SpamAssassin PMC sidney@apache.org
I'm able to commit if maintainer and ports-secteam agree.
Created attachment 223549 [details] Patch Oops, forgot to attach the patch.
Approved. Will you write a vuXML entry as well?
Sure I can do that too.
Reassigning to me for commit.
A commit references this bug: Author: cy Date: Wed Mar 24 20:02:53 UTC 2021 New revision: 569156 URL: https://svnweb.freebsd.org/changeset/ports/569156 Log: mail/spamassassin: Update 3.4.4 --> 3.4.5, fixing CVE-2020-1946 According to https://s.apache.org/ng9u9, 3.4.5 fixes CVE-2020-1946. The announce text: Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue. This issue has been assigned CVE id CVE-2020-1946 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the https://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://s.apache.org/ng9u9 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 PR: 254526 Submitted by: cy Reported by: cy Approved by: maintainer (zeising) MFH: 2021Q1 Security: https://s.apache.org/ng9u9 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 Changes: head/mail/spamassassin/Makefile head/mail/spamassassin/distinfo head/mail/spamassassin/pkg-plist
A commit references this bug: Author: cy Date: Wed Mar 24 20:02:59 UTC 2021 New revision: 569157 URL: https://svnweb.freebsd.org/changeset/ports/569157 Log: security/vuxml: Document spamassassin CVE-2020-1946 PR: 254526 Security: https://s.apache.org/ng9u9 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: cy Date: Wed Mar 24 20:05:32 UTC 2021 New revision: 569158 URL: https://svnweb.freebsd.org/changeset/ports/569158 Log: MFH: r569156 mail/spamassassin: Update 3.4.4 --> 3.4.5, fixing CVE-2020-1946 According to https://s.apache.org/ng9u9, 3.4.5 fixes CVE-2020-1946. The announce text: Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue. This issue has been assigned CVE id CVE-2020-1946 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the https://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://s.apache.org/ng9u9 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 PR: 254526 Submitted by: cy Reported by: cy Approved by: maintainer (zeising) Security: https://s.apache.org/ng9u9 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 Changes: _U branches/2021Q1/ branches/2021Q1/mail/spamassassin/Makefile branches/2021Q1/mail/spamassassin/distinfo branches/2021Q1/mail/spamassassin/pkg-plist
Fixed.
Builds fine but fails to start... Stopping spamd. Waiting for PIDS: 44869. Starting spamd. child process [63928] exited or timed out without signaling production of a PID file: exit 255 at /usr/local/bin/spamd line 3034. /usr/local/etc/rc.d/sa-spamd: WARNING: failed to start spamd
Yes, it will fail to start until you run sa-update to download a new database. Do that first, then start it. Also, install mail/sa-utils to run sa-update daily through periodic(8). It's best practice to maintain an updated database.
Thanks for that, works like a charm now.