Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Mar 2021 18:05:49 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 254526] [PATCH] mail/spamassassin Update to 3.4.5 fixing  CVE-2020-1946
Message-ID:  <bug-254526-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254526

            Bug ID: 254526
           Summary: [PATCH] mail/spamassassin Update to 3.4.5 fixing
                    CVE-2020-1946
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2020-19
                    46
                OS: Any
            Status: New
          Keywords: security
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: zeising@FreeBSD.org
          Reporter: cy@FreeBSD.org
                CC: ports-bugs@FreeBSD.org, ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(zeising@FreeBSD.org)
             Flags: merge-quarterly?

This patch updates mail/spamassassin to 3.4.5 fixing CVE-2020-1946. Email f=
rom
apache.org below:

Subject: [CVE-2020-1946] Apache SpamAssassin malicious rule configuration
 (.cf) files can be configured to run system commands
From: Sidney Markowitz <sidney@apache.org>
Date: Thu, 25 Mar 2021 05:08:23 +1300 (Wed 09:08 PDT)
To: Sidney Markowitz <sidney@apache.org>

(Unknown charset: <utf-8>)

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of
security note where malicious rule configuration (.cf) files can be configu=
red
to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of
scenarios. In addition to upgrading to SA 3.4.5, users should only use upda=
te
channels or 3rd party .cf files from trusted places.

Apache SpamAssassin would like to thank Damian Lukowski at credativ for
ethically reporting this issue.

This issue has been assigned CVE id CVE-2020-1946 [2]

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the https://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[1]: https://s.apache.org/ng9u9

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2020-1946

--=20
Sidney Markowitz
Chair, Apache SpamAssassin PMC
sidney@apache.org

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254526-7788>