Security updates were already released for these two CVEs here:
https://usn.ubuntu.com/4265-1/
** Changed in: spamassassin (Ubuntu Xenial)
Status: New => Fix Released
** Changed in: spamassassin (Ubuntu Bionic)
Status: New => Fix Released
** Changed in: spamassassin (Ubuntu Disco)
Status: New => Invalid
** Changed in: spamassassin (Ubuntu Disco)
Status: Invalid => Won't Fix
** Changed in: spamassassin (Ubuntu Eoan)
Status: New => Fix Released
** Changed in: spamassassin (Ubuntu Trusty)
Status: New => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1861534
Title:
Spamassassin needs updated to 3.4.4 to reflect security fixes
Status in spamassassin package in Ubuntu:
Triaged
Status in spamassassin source package in Trusty:
Fix Released
Status in spamassassin source package in Xenial:
Fix Released
Status in spamassassin source package in Bionic:
Fix Released
Status in spamassassin source package in Disco:
Won't Fix
Status in spamassassin source package in Eoan:
Fix Released
Status in spamassassin source package in Focal:
Triaged
Bug description:
lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04
apt-cache policy spamassassin
spamassassin:
Installed: 3.4.2-0ubuntu0.18.04.2
Candidate: 3.4.2-0ubuntu0.18.04.2
The current version of Spamassassin is 3.4.2, the newest version,
3.4.4 fixes two security issues:
CVE-2020-1930
A command execution issue was found in Apache SpamAssassin prior to 3.4.3.
Carefully crafted nefarious rule configuration (.cf) files can be configured to
run system commands similar to CVE-2018-11805. With this bug unpatched,
exploits can be injected in a number of scenarios including the same privileges
as spamd is run which may be elevated though doing so remotely is difficult. In
addition to upgrading to SA 3.4.4, we again recommend that users should only
use update channels or 3rd party .cf files from trusted places. If you cannot
upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run
spamd as an account with elevated privileges.
CVE-2020-1931
A command execution issue was found in Apache SpamAssassin prior to 3.4.3.
Carefully crafted nefarious Configuration (.cf) files can be configured to run
system commands similar to CVE-2018-11805. This issue is less stealthy and
attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at
credativ for reporting the issue ethically. With this bug unpatched, exploits
can be injected in a number of scenarios though doing so remotely is difficult.
In addition to upgrading to SA 3.4.4, we again recommend that users should only
use update channels or 3rd party .cf files from trusted places.
Request that Spamassassin be updated to the latest version, 3.4.4, as
soon as possible.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1861534/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
