[jira] [Commented] (JAMES-3523) Vulnerable third party application: test and recomand SpamAssassin 3.4.5

Wed, 24 Mar 2021 20:50:05 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-3523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308332#comment-17308332
 ] 

Benoit Tellier commented on JAMES-3523:
---------------------------------------

To be running SpamAssassin 3.4.5 within our test suite, we need the 
corresponding Debian package to be released 
(https://packages.debian.org/stretch/spamassassin)

> Vulnerable third party application: test and recomand SpamAssassin 3.4.5
> ------------------------------------------------------------------------
>
>                 Key: JAMES-3523
>                 URL: https://issues.apache.org/jira/browse/JAMES-3523
>             Project: James Server
>          Issue Type: Task
>          Components: spamassassin
>            Reporter: Benoit Tellier
>            Priority: Major
>
> SpamAssassin is affected by CVE-2020-1946:
> *Apache SpamAssassin malicious rule configuration (.cf) files can be 
> configured to run system commands*
> Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of 
> security note where malicious rule configuration (.cf) files can be 
> configured to run system commands.
> In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of 
> scenarios. In addition to upgrading to SA 3.4.5, users should only use update 
> channels or 3rd party .cf files from trusted places.
> Apache SpamAssassin would like to thank Damian Lukowski at credativ for 
> ethically reporting this issue.
> This issue has been assigned CVE id CVE-2020-1946 [2]
> To contact the Apache SpamAssassin security team, please e-mail
> security at spamassassin.apache.org. For more information about Apache
> SpamAssassin, visit the spamassassin.apache.org web site.
> Apache SpamAssassin Security Team
> We should:
>  - Use 3.4.5 version in our tests
>  - Recommand the use of SpamAssassin 3.4.5 in Third party softwares section 
> of our changelog
>  - Check the documentation for possible version mentions



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to