Ubuntu
spamassassin package

Upgrade to version 3.4.2 for Bionic

Bug #1796863 reported by chris pollock
34
This bug affects 5 people
Affects Status Importance Assigned to Milestone
spamassassin (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Fix Released
Undecided
Marc Deslauriers
Xenial
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Marc Deslauriers
Cosmic
Fix Released
Medium
Unassigned

Bug Description

lsb_release -rd
Description: Ubuntu 18.04.1 LTS
Release: 18.04

apt-cache policy spamassassin
spamassassin:
  Installed: 3.4.1-8build1
  Candidate: 3.4.1-8build1

According to the release notes for Spamassassin 3.4.2 there have been significant bug fixes and changes made in the newer package. Some are noted below. Suggest that a 3.4.2 version of Spamassassin be released for 18.04LTS.

"There is one specific pressing reason to upgrade.
Specifically, we will stop producing SHA-1 signatures for rule updates. This means that
while we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update.

*** If you do not update to 3.4.2, you will be stuck at the last ruleset
    with SHA-1 signatures in the near future. ***"

"Four CVE security bug fixes are included in this release for PDFInfo.pm and
the SA core:
 CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781"

CVE-2017-15705 -
"A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts."
https://launchpad.net/bugs/cve/CVE-2017-15705

CVE-2016-1238 -
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1238.html
According to the link above it appears that Bionic is not affected by this.

CVE-2018-11780 -
"A potential Remote Code Execution bug exists with the PDFInfo plugin in
Apache SpamAssassin before 3.4.2."
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11780.html

CVE-2018-11781 -
"Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta
rule syntax."
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11781.html

Tags: server-next
Revision history for this message
Robie Basak (racb) wrote :

Upstream
release notes: http://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.2.txt

tags: added: server-next
Revision history for this message
chris pollock (cpollock) wrote :

I see that 3.4.2 has been released with the just released 18.10 (Cosmic) will there also be an update for 18.04 soon?

Andreas Hasenack (ahasenack)
Changed in spamassassin (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Dominic Raferd (dominic-timedicer) wrote :

Yes please can we have this asap

Marc Deslauriers (mdeslaur)
Changed in spamassassin (Ubuntu Trusty):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in spamassassin (Ubuntu Xenial):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in spamassassin (Ubuntu Bionic):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in spamassassin (Ubuntu Cosmic):
status: Triaged → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updated packages are now available for testing in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please test them and comment in this bug. I'd appreciate some feedback before officially releasing them as the packages update to a whole new version.

Thanks!

Revision history for this message
vvhk (vvhk-deactivatedaccount-deactivatedaccount) wrote :

Tested synthetically (isolated from Postfix, but fed real messages via spamc), upgraded from 3.4.1 in a cloned production environment. LGTM.

Revision history for this message
chris pollock (cpollock) wrote :
Download full text (4.5 KiB)

Package install went without a hitch. I installed each pkg individually verified the new version number

spamassassin -V
SpamAssassin version 3.4.2
  running on Perl version 5.26.1

I also tested an email with spamassassin -D -t CVA.mbox the output is here:

https://pastebin.com/sQwJchB3

Syslog logging for incoming message:

Nov 6 08:36:06 localhost spamd[18326]: spamd: connection from ::1 [::1]:60902 to port 783, fd 5
Nov 6 08:36:06 localhost spamd[18326]: spamd: setuid to chris succeeded
Nov 6 08:36:06 localhost spamd[18326]: spamd: processing message <email address hidden> for chris:1000
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: a.ns.northerntool.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: b.ns.northerntool.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: ns1.northerntool.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: ns3.northerntool.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: ns2.northerntool.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: b.ns.northerntoolemail.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: f.ns.northerntoolemail.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: d.ns.northerntoolemail.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: a.ns.northerntoolemail.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: e.ns.northerntoolemail.com
Nov 6 08:36:06 localhost spamd[18326]: dns: new_dns_packet: domain is utf8 flagged: c.ns.northerntoolemail.com
Nov 6 08:36:06 localhost spamd[18326]: rules: failed to run USER_IN_DKIM_WHITELIST test, skipping:
Nov 6 08:36:06 localhost spamd[18326]: (Not a HASH reference at /usr/share/perl5/Mail/SpamAssassin/Plugin/FromNameSpoof.pm line 319.
Nov 6 08:36:06 localhost spamd[18326]: )
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns4.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns6.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns3.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns11.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns7.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns9.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns12.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns8.sorbs.net/A/IN': 87.106.246.125#53
Nov 6 08:36:06 localhost named[1116]: REFUSED unexpected RCODE resolving 'rbldns10.sorbs.net/A/IN': 87.106.246.125#53
Nov...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the testing vkh and cpollock!

@vkh: what release was that test on?

Revision history for this message
vvhk (vvhk-deactivatedaccount-deactivatedaccount) wrote :

@mdeslaur: oh sorry, Bionic.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.4.2-0ubuntu0.16.04.1

---------------
spamassassin (3.4.2-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 3.4.2 to fix multiple security issues and
    support new rule update signatures (LP: #1796863)
    - debian/patches/*patch: sync patches from 3.4.2-1 package.
    - add pkgrules orig tarball from 3.4.2-1 package.
    - debian/spamassassin.{init,preinst}: properly handle process name
      change in spamassassin 3.4.2.
    - CVE-2017-15705
    - CVE-2018-11780
    - CVE-2018-11781

 -- Marc Deslauriers <email address hidden> Thu, 25 Oct 2018 12:37:49 -0400

Changed in spamassassin (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.4.2-0ubuntu0.18.04.1

---------------
spamassassin (3.4.2-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Update to 3.4.2 to fix multiple security issues and
    support new rule update signatures (LP: #1796863)
    - debian/patches/*patch: sync patches from 3.4.2-1 package.
    - add pkgrules orig tarball from 3.4.2-1 package.
    - debian/spamassassin.{init,preinst}: properly handle process name
      change in spamassassin 3.4.2.
    - CVE-2017-15705
    - CVE-2018-11780
    - CVE-2018-11781

 -- Marc Deslauriers <email address hidden> Thu, 25 Oct 2018 07:57:41 -0400

Changed in spamassassin (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.4.2-0ubuntu0.14.04.1

---------------
spamassassin (3.4.2-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Update to 3.4.2 to fix multiple security issues and
    support new rule update signatures (LP: #1796863)
    - debian/patches/*patch: sync patches from 3.4.2-1 package.
    - add pkgrules orig tarball from 3.4.2-1 package.
    - debian/spamassassin.{init,preinst}: properly handle process name
      change in spamassassin 3.4.2.
    - CVE-2017-15705
    - CVE-2018-11780
    - CVE-2018-11781

 -- Marc Deslauriers <email address hidden> Thu, 25 Oct 2018 12:37:49 -0400

Changed in spamassassin (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
chris pollock (cpollock) wrote :

I forgot to mention that SA-Update ran with no problems also during it's normal cronjob run this afternoon. I forgot to run it after the upgrade this morning.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.