From owner-svn-ports-all@freebsd.org Wed Sep 26 18:09:08 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E81610B334C; Wed, 26 Sep 2018 18:09:08 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1723588874; Wed, 26 Sep 2018 18:09:08 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E31861AA39; Wed, 26 Sep 2018 18:09:07 +0000 (UTC) (envelope-from zeising@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8QI97xw020421; Wed, 26 Sep 2018 18:09:07 GMT (envelope-from zeising@FreeBSD.org) Received: (from zeising@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8QI97Kh020420; Wed, 26 Sep 2018 18:09:07 GMT (envelope-from zeising@FreeBSD.org) Message-Id: <201809261809.w8QI97Kh020420@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: zeising set sender to zeising@FreeBSD.org using -f From: Niclas Zeising Date: Wed, 26 Sep 2018 18:09:07 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r480751 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: zeising X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 480751 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2018 18:09:08 -0000 Author: zeising Date: Wed Sep 26 18:09:07 2018 New Revision: 480751 URL: https://svnweb.freebsd.org/changeset/ports/480751 Log: Document spamassassin - multiple vulnerabilities Document spamassassin vulnerabilities, as found in this announcement: https://seclists.org/oss-sec/2018/q3/242 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Sep 26 17:31:28 2018 (r480750) +++ head/security/vuxml/vuln.xml Wed Sep 26 18:09:07 2018 (r480751) @@ -58,6 +58,49 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + spamassassin -- multiple vulnerabilities + + + spamassassin + 3.4.2 + + + + +

the Apache Spamassassin project reports:

+
+

In Apache SpamAssassin, using HTML::Parser, we setup an object and + hook into the begin and end tag event handlers In both cases, the + "open" event is immediately followed by a "close" event - even if + the tag *does not* close in the HTML being parsed.

+

Because of this, we are missing the "text" event to deal with + the object normally. This can cause carefully crafted emails that + might take more scan time than expected leading to a Denial of + Service.

+

Fix a reliance on "." in @INC in one configuration script. Whether + this can be exploited in any way is uncertain.

+

Fix a potential Remote Code Execution bug with the PDFInfo plugin. + Thanks to cPanel Security Team for their report of this issue.

+

Fourth, this release fixes a local user code injection in the + meta rule syntax. Thanks again to cPanel Security Team for their + report of this issue.

+
+ +
+ + https://seclists.org/oss-sec/2018/q3/242 + CVE-2017-15705 + CVE-2016-1238 + CVE-2018-11780 + CVE-2018-11781 + + + 2018-09-16 + 2018-09-26 + +
+ wesnoth -- Code Injection vulnerability