From announce-return-34-archive-asf-public=cust-asf.ponee.io@spamassassin.apache.org Thu Dec 12 12:46:55 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id CE94918061A for ; Thu, 12 Dec 2019 13:46:54 +0100 (CET) Received: (qmail 64134 invoked by uid 500); 12 Dec 2019 12:46:52 -0000 Mailing-List: contact announce-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@spamassassin.apache.org Delivered-To: moderator for announce@spamassassin.apache.org Received: (qmail 40347 invoked by uid 99); 12 Dec 2019 12:35:14 -0000 Subject: [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 From: "Kevin A. McGrail" To: "kmcgrail@apache.org" Reply-To: SpamAssassin Devel List References: <056145b2-b908-c811-9af1-ecea2571c5c3@apache.org> Openpgp: preference=signencrypt Autocrypt: addr=kmcgrail@apache.org; keydata= mQINBE+34qcBEACsnW9Az3vjJmDCe4tcfzTqsLPoxCauAi2dj2yZJna1OE/Vyga4e2xqrxdH fCTdIkrAor8U0dHBOtauSIFAzZEyHnyZezQS7FjSpK/u11s6w9+UL9Ut+8b/QtbxtF43MgCQ a2O3q3A8kX9IqKJsUB9Re981Z8rlHfyS8MybXggYgtDZ3vvag5Y9BZ1ydqTU8CaIbvxttuev Y4pmH/u3d0ZG/DvOUwhze7n28tB7YtQp2xDq68uZuRz27fZm4hFQHYqGyaEW5jkhDOdMc4zZ A52ZJRs/RBoluaqoK1fdXqQhjBuBwj4R4619DL8A4rMcqsbLulbZGki1nW8XmTV5YrwuGk0v oHt/e4kfFrDSM/h8xQGacvYQmTD0cxF7OCh4PBqfyGys4k2ffOrmYlXRGXJKVUneruMqPQDc umV4TXx+h+mLHZ7i2mGsDhemI+V1ionB73t2jr1ApClP7CIa9/2H46IqMGpCcYe56b/+7YGk p3wtzUK4Kd4xaKb7GWB6gaZqrnTCJTXy/iTLVSN+0Q8hubNteggig3u8EG1dC6F6g2gIZXsN 6BdpxSewedoIs3n2xz/RseAbbc9RunspbwGODzwqxzGJy/lxhCyWtSWtrf8JaTpSySSxENws 8ThRW/gCDu3UuTye5EBXV4+3IWlnkppsCOKE4RmPbr+F4+85cwARAQABtDlLZXZpbiBBLiBN Y0dyYWlsIChDT0RFIFNJR05JTkcgS0VZKSA8a21jZ3JhaWxAYXBhY2hlLm9yZz6JAjEEEwEC ABsCGwMCHgECF4AFAk+35XwFCwkIBwMFFQoJCAsACgkQIU39jEx16gWeGw/8Dz75yivbiSMQ lNxuCDJ+FTu615bBThcSuiCQpPD7o2zyrwxRYHWBW2aGJO9+JG7kOmjcK4mWTKzfVbjmGRLK BHZtgkLh5sRRzhIALVUM+7wo+5+GDAo9Xabwm696hoHK2jyFkjvhsXgwoPA/HwqpxeMaZn3C vNkbHYZRJw2IbeD08cA8VxQ0GTDvaV7WltTfh+dYSvEXJBaCW+Z6Q9Wbb6KXKsZhU6Su8An5 pFx+RHZ64xpNQFdIP1WHcG/B9Sf8C6IB46H3nT7N+AiCYb1taO5SmMGZ2hpH5JmaMo7UkPGF Rdb8/BKf57q6DXlUhxLw4ESrNgqigSnXg8FtNrGRAWhKp16p8rKZ5t/K3l3/n5s9/OQe1FO9 EpBdVcss8+CXbNLi83wpiG6XSjJlCf8+40bS3TWJvwW+h4OIEZ/Qs+pm27/v+K2Hl+TX7m1A CRZIN0dKb4qlH/4C2B1I8vWXHSb/ltoTEDFL7QNa02p7gRyK1JmM7jUFmi62URZbg0d542QX Rkxy1NfYQS8+KZ/gZDOGZ6kampFCDq1EN8fBDDXCVhsWb1giYKLISMRb9xTgUsdW2jH8exJo HS4nalFUCQwApsDTR7vrq0vjZhaTRJfbMOabSm65Q7LLbLpM7XU0da8nFAB2YsZAuNFNkZjr IyK9Ygrfd/jWj/hzAqTG68q5Ag0ET7fipwEQANk8YVZWdMVW2EFvLLoYeW8Mf3MG1mvm9BcM D36H8RjkG3hsbgpQ8wacQBlRKZdvgIpcxyUlOEJ1VFpMHdr/geq5J8n1pM45iGCCedik4QHn QzA/qNm1laSMW7QdFMBH4Y4Wc9qP+xPz5BdNWx1Z0VkYS6MtBqvzMe2VkMKMs0iG06omnaOg uUxNu78kR4rQFjo1+3hgJsYSJrMk1J5iO/UN9Zt17UlVw+MZmkvkLhOyN85WPIHaHh0TBwP5 5hS2SATP1Cgw7oeSD9Hxv79yWY17lQspBnNaj6uNub5TbqzsjR7nWDaQH/RaRqj3qMhNT3le OD03ygabiEcEMOZ4sTj161T3a8KpaQTZzCalIONa5+tCr6mYrDUlChRiQltj8qPpkezLydoP I9vCyQpPQJtgf31vq+EADum2Hohfasc3QYDnRXAJ31b0CmB577jH8tjUQGMgxRz3aS2VWVc0 0lV8SlV8Ki78pzUOOob6JPPMmcH3y3JasGnI8IDudlugRIdDGrB5AA1J2ustfZ7BInlJNBfk ASR2L7i0HUnmz/hWX1Wpg1tUX24ApYL9rD+4pobAR47e5UGTn9jQBVyjGQbLIE/OKMFx0TzT WBR5OQnETrS/nO9qem6rtyPJMVx0qaT1j1qwEOz8PUP667QYQyLHkrclh4Nb9s91/DdRXtTf ABEBAAGJAh8EGAECAAkFAk+34qcCGwwACgkQIU39jEx16gV2Ag/9HxRm81h1DZoBc8OFqV0W KiPJOlPtl+LLgIR3BZxio2zlt+FaDqp6slgOdBp1AY4mdQfP7aBUeEbb6ebvbNJeq00XKUS6 bJxlr92AQoHHV8htNj2CUev0gl99Sj5GcLSpI8fFa8D9H9XSOEJNFLS7E0hW2V00hY3i0E1+ 43/h/+cVxDRXY57EEO0HSR8BFWBboEZRsA5PjNv2varyZmiF6etsgSoovaDx+2oY8F9Q0aeZ X3XzJ+iahCykCWyXmoppjEDtU1gIyylWkWXk30VDFVCJopnUeNZhFH8/By3iE3gxFmpamhXU QRNNQXo+/hNu3LvQWcakvVgSwOgjC8BFCoCjB2bfDXPkFMwHbyVxdKInKHSsK9gvPGFU/bOp KKx9JgY4b5fkLEvsrGV0OkpqqLVnmq2By4r8bRglv75lCcX++JEZfewBRSKsMovOFF+bmt8w 9+MGL4mompGZx+ZOuYjhZ+kj4iav4FsyCyu172ZDY9Mt8dHLiUP9uaubISMo9h7jpkIyOOFQ nFrM+WsPNdJ8Fz7uIHkHCuF/P9ws+kerxxbw6CRhbIPyVnwUOCycpBVPmEHSuUiGyytTWH94 9ehyVD5oE5mZ4tyECv+WjD8gxdiiHHxDjojxv2JpXWRupWQ/VxqBLdHrz3ZJvEuy1km0bWUV P40bwka7KRU7ncc= Message-ID: <20a4b4a4-b0d2-4a96-deb8-4c96a23964de@apache.org> Date: Thu, 12 Dec 2019 07:35:16 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <056145b2-b908-c811-9af1-ecea2571c5c3@apache.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue of security note where nefarious CF files can be configured to run system commands without any output or errors.  With this, exploits can be injected in a number of scenarios.  In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. This issue has been assigned CVE id CVE-2018-11805 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org.  For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805 -- Kevin A. McGrail KMcGrail@Apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 --------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscribe@spamassassin.apache.org For additional commands, e-mail: announce-help@spamassassin.apache.org