On Wed, 18 Dec 2019, Noah Meyerhans wrote:
[snip]
The problem is likely related to the fixes for CVE-2018-11805, which
involved malicious rulesets invoking arbitrary commands as the uid
running spamassassin/spamd. In the case of sa-exim, the line triggering
the taint failure is performing an "eval" operation of configuration
data read directly from a .cf file, so changing spamasassin's behavior
is probably not ideal.
I've tested a backport of sa-exim 4.2.1-16 from stretch to jessie, and
have observed that the problem does not occur in this scenario. So an
update of sa-exim in jessie might be the least disruptive path to a fix
here. In the mean time, you might consider locally building it.
Hi Noah,
I tried backporting sa-exim 4.2.1-16 to jessie. While it installs and fixes
the installation problem with sa-compile, for some reason it broke grey
listing on my system. Basically, every email that gets grey listed will
continually get temporary rejection until the other server gives up. It
appears that no email once it is greylisted will ever get through.
I'm not sure if this is specific to my setup due to a quirk of my
configuration settings and a minor incompatibility between the stretch
and jessie versions of sa-exim or something more serious. Log files did not
reveal anything obvious nor did a quick review of the differences between the
sources of the two versions.
For now I have just disabled greylisting on my server, unfortunately I don't
have time right now for a more in-depth analysis as I would have to re-learn
how all of this works.
FWIW.
Shannon C. Dealy | DeaTech Research Inc.
de...@deatech.com | Biotechnology Development Services
Telephone USA: +1 541-929-4089 | USA and the Netherlands
Netherlands: +31 85 208 5570 | www.deatech.com
