From owner-freebsd-ports-bugs@freebsd.org Wed Mar 24 18:05:49 2021 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 64AEE5BBA6E for ; Wed, 24 Mar 2021 18:05:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4F5GPT2CW7z4nly for ; Wed, 24 Mar 2021 18:05:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 49BEF5BBF07; Wed, 24 Mar 2021 18:05:49 +0000 (UTC) Delivered-To: ports-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 498345BB9B1 for ; Wed, 24 Mar 2021 18:05:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F5GPT1WkVz4nXT for ; Wed, 24 Mar 2021 18:05:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2624F18B08 for ; Wed, 24 Mar 2021 18:05:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12OI5nGt000605 for ; Wed, 24 Mar 2021 18:05:49 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12OI5nio000604 for ports-bugs@FreeBSD.org; Wed, 24 Mar 2021 18:05:49 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 254526] [PATCH] mail/spamassassin Update to 3.4.5 fixing CVE-2020-1946 Date: Wed, 24 Mar 2021 18:05:49 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: zeising@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status keywords bug_severity priority component assigned_to reporter cc flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Mar 2021 18:05:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254526 Bug ID: 254526 Summary: [PATCH] mail/spamassassin Update to 3.4.5 fixing CVE-2020-1946 Product: Ports & Packages Version: Latest Hardware: Any URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2020-19 46 OS: Any Status: New Keywords: security Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: zeising@FreeBSD.org Reporter: cy@FreeBSD.org CC: ports-bugs@FreeBSD.org, ports-secteam@FreeBSD.org Flags: maintainer-feedback?(zeising@FreeBSD.org) Flags: merge-quarterly? This patch updates mail/spamassassin to 3.4.5 fixing CVE-2020-1946. Email f= rom apache.org below: Subject: [CVE-2020-1946] Apache SpamAssassin malicious rule configuration (.cf) files can be configured to run system commands From: Sidney Markowitz Date: Thu, 25 Mar 2021 05:08:23 +1300 (Wed 09:08 PDT) To: Sidney Markowitz (Unknown charset: ) Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configu= red to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use upda= te channels or 3rd party .cf files from trusted places. Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue. This issue has been assigned CVE id CVE-2020-1946 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the https://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://s.apache.org/ng9u9 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2020-1946 --=20 Sidney Markowitz Chair, Apache SpamAssassin PMC sidney@apache.org --=20 You are receiving this mail because: You are on the CC list for the bug.=