Security updates were already released for these two CVEs here: https://usn.ubuntu.com/4265-1/
** Changed in: spamassassin (Ubuntu Xenial) Status: New => Fix Released ** Changed in: spamassassin (Ubuntu Bionic) Status: New => Fix Released ** Changed in: spamassassin (Ubuntu Disco) Status: New => Invalid ** Changed in: spamassassin (Ubuntu Disco) Status: Invalid => Won't Fix ** Changed in: spamassassin (Ubuntu Eoan) Status: New => Fix Released ** Changed in: spamassassin (Ubuntu Trusty) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1861534 Title: Spamassassin needs updated to 3.4.4 to reflect security fixes Status in spamassassin package in Ubuntu: Triaged Status in spamassassin source package in Trusty: Fix Released Status in spamassassin source package in Xenial: Fix Released Status in spamassassin source package in Bionic: Fix Released Status in spamassassin source package in Disco: Won't Fix Status in spamassassin source package in Eoan: Fix Released Status in spamassassin source package in Focal: Triaged Bug description: lsb_release -rd Description: Ubuntu 18.04.4 LTS Release: 18.04 apt-cache policy spamassassin spamassassin: Installed: 3.4.2-0ubuntu0.18.04.2 Candidate: 3.4.2-0ubuntu0.18.04.2 The current version of Spamassassin is 3.4.2, the newest version, 3.4.4 fixes two security issues: CVE-2020-1930 A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. CVE-2020-1931 A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. Request that Spamassassin be updated to the latest version, 3.4.4, as soon as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1861534/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp