Backport 3.4.2 CVE fixes to stable releases
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
spamassassin (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Release 3.4.2 includes a number of CVE fixes.
These need to be backported to other stable releases.
> spamassassin (3.4.2-1) unstable; urgency=medium
>
> * New upstream release fixes multiple security vulnerabilities
> - CVE-2017-15705: Denial of service issue in which certain unclosed
> tags in emails cause markup to be handled incorrectly leading to
> scan timeouts. (Closes: 908969)
> - CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
> script.
> - CVE-2018-11780: potential Remote Code Execution bug with the
> PDFInfo plugin. (Closes: 908970)
> - CVE-2018-11781: local user code injection in the meta rule syntax.
> (Closes: 908971)
> - BayesStore: bayes_expire table grows, remove_
> called (Closes: 883775)
> - Fix use of uninitialized variable warning in PDFInfo.pm
> (Closes: 865924)
> - Fix "failed to parse plugin" error in
> Mail::SpamAssas
> * Don't recursively chown /var/lib/
> (Closes: 889501)
> * Reload spamd after compiling rules in sa-compile.
> * Preserve locally set ENABLED=1 setting from /etc/default/
> when installing on systemd-based systems. (Closes: 884163, 858457)
> * Update SysV init script to cope with upstream's change to $0.
> * Remove compiled rules upon removal of the sa-compile package.
> * Ensure that /var/lib/
> the cron job's execution. (Closes: 890650)
> * Update standards version to 4.2.1
> * Create /var/lib/
> (Closes: 891833)
>
> -- Noah Meyerhans <email address hidden> Sun, 30 Sep 2018 23:44:58 -0700
CVE References
information type: | Private Security → Public Security |
Status changed to 'Confirmed' because the bug affects multiple users.