Date: Fri, 31 Jan 2020 10:16:38 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Niclas Zeising <zeising@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r524719 - head/security/vuxml Message-ID: <54342EF2-60B5-462E-A243-6E2BA9D3B216@cschubert.com> In-Reply-To: <202001311602.00VG2jBq029161@repo.freebsd.org> References: <202001311602.00VG2jBq029161@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On January 31, 2020 8:02:45 AM PST, Niclas Zeising <zeising@FreeBSD=2Eorg> = wrote: >Author: zeising >Date: Fri Jan 31 16:02:45 2020 >New Revision: 524719 >URL: https://svnweb=2Efreebsd=2Eorg/changeset/ports/524719 > >Log: > vuxml: Add entries for spamassasin vulnerabilities=2E > >Modified: > head/security/vuxml/vuln=2Exml > >Modified: head/security/vuxml/vuln=2Exml >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >--- head/security/vuxml/vuln=2Exml Fri Jan 31 15:50:23 2020 (r524718) >+++ head/security/vuxml/vuln=2Exml Fri Jan 31 16:02:45 2020 (r524719) >@@ -58,6 +58,42 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc=2E) > --> > <vuxml xmlns=3D"http://www=2Evuxml=2Eorg/apps/vuxml-1">; >+ <vuln vid=3D"c86bfee3-4441-11ea-8be3-54e1ad3d6335"> >+ <topic>spamassassin -- Nefarious rule configuration files can run >system commands</topic> >+ <affects> >+ <package> >+ <name>spamassassin</name> >+ <range><lt>3=2E4=2E4</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns=3D"http://www=2Ew3=2Eorg/1999/xhtml">; >+ <p>The Apache SpamAssassin project reports:</p> >+ <blockquote >cite=3D"ihttps://mail-archives=2Eapache=2Eorg/mod_mbox/spamassassin-annou= nce/202001=2Embox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache=2Eorg%3e"> >+ <p>A nefarious rule configuration (=2Ecf) files can be configured to >+ run system commands=2E This issue is less stealthy and attempts to >+ exploit the issue will throw warnings=2E</p> >+ <p>Thanks to Damian Lukowski at credativ for reporting the issue >+ ethically=2E With this bug unpatched, exploits can be >injected in a >+ number of scenarios though doing so remotely is difficult=2E In >+ addition to upgrading to SA 3=2E4=2E4, we again recommend that user= s >+ should only use update channels or 3rd party =2Ecf files from >trusted >+ places=2E</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ =20 ><url>https://mail-archives=2Eapache=2Eorg/mod_mbox/spamassassin-announce/= 202001=2Embox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache=2Eorg%3e</url> >+ =20 ><url>https://mail-archives=2Eapache=2Eorg/mod_mbox/spamassassin-announce/= 202001=2Embox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache=2Eorg%3e</url> >+ <cvename>CVE-2020-1930</cvename> >+ <cvename>CVE-2020-1931</cvename> >+ </references> >+ <dates> >+ <discovery>2020-01-28</discovery> >+ <entry>2020-01-31</entry> >+ </dates> >+ </vuln> >+ > <vuln vid=3D"b4e5f782-442d-11ea-9ba9-206a8a720317"> > <topic>sudo -- Potential bypass of Runas user restrictions</topic> > <affects> Can you remove the entry I added yesterday, please? Or, I can do that at n= oon my time=2E --=20 Pardon the typos and autocorrect, small keyboard in use=2E=20 Cy Schubert <Cy=2ESchubert@cschubert=2Ecom> FreeBSD UNIX: <cy@FreeBSD=2Eorg> Web: https://www=2EFreeBSD=2Eorg The need of the many outweighs the greed of the few=2E Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54342EF2-60B5-462E-A243-6E2BA9D3B216>