From announce-return-37-archive-asf-public=cust-asf.ponee.io@spamassassin.apache.org Thu Jan 30 05:31:18 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id A80C618062B for ; Thu, 30 Jan 2020 06:31:17 +0100 (CET) Received: (qmail 84830 invoked by uid 500); 30 Jan 2020 05:31:15 -0000 Mailing-List: contact announce-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@spamassassin.apache.org Delivered-To: moderator for announce@spamassassin.apache.org Received: (qmail 17411 invoked by uid 99); 30 Jan 2020 05:06:49 -0000 Subject: [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. From: "Kevin A. McGrail" To: "kmcgrail@apache.org" Reply-To: SpamAssassin Devel List References: Autocrypt: addr=kmcgrail@apache.org; keydata= mQINBE+34qcBEACsnW9Az3vjJmDCe4tcfzTqsLPoxCauAi2dj2yZJna1OE/Vyga4e2xqrxdH fCTdIkrAor8U0dHBOtauSIFAzZEyHnyZezQS7FjSpK/u11s6w9+UL9Ut+8b/QtbxtF43MgCQ a2O3q3A8kX9IqKJsUB9Re981Z8rlHfyS8MybXggYgtDZ3vvag5Y9BZ1ydqTU8CaIbvxttuev Y4pmH/u3d0ZG/DvOUwhze7n28tB7YtQp2xDq68uZuRz27fZm4hFQHYqGyaEW5jkhDOdMc4zZ A52ZJRs/RBoluaqoK1fdXqQhjBuBwj4R4619DL8A4rMcqsbLulbZGki1nW8XmTV5YrwuGk0v oHt/e4kfFrDSM/h8xQGacvYQmTD0cxF7OCh4PBqfyGys4k2ffOrmYlXRGXJKVUneruMqPQDc umV4TXx+h+mLHZ7i2mGsDhemI+V1ionB73t2jr1ApClP7CIa9/2H46IqMGpCcYe56b/+7YGk p3wtzUK4Kd4xaKb7GWB6gaZqrnTCJTXy/iTLVSN+0Q8hubNteggig3u8EG1dC6F6g2gIZXsN 6BdpxSewedoIs3n2xz/RseAbbc9RunspbwGODzwqxzGJy/lxhCyWtSWtrf8JaTpSySSxENws 8ThRW/gCDu3UuTye5EBXV4+3IWlnkppsCOKE4RmPbr+F4+85cwARAQABtDlLZXZpbiBBLiBN Y0dyYWlsIChDT0RFIFNJR05JTkcgS0VZKSA8a21jZ3JhaWxAYXBhY2hlLm9yZz6JAjEEEwEC ABsCGwMCHgECF4AFAk+35XwFCwkIBwMFFQoJCAsACgkQIU39jEx16gWeGw/8Dz75yivbiSMQ lNxuCDJ+FTu615bBThcSuiCQpPD7o2zyrwxRYHWBW2aGJO9+JG7kOmjcK4mWTKzfVbjmGRLK BHZtgkLh5sRRzhIALVUM+7wo+5+GDAo9Xabwm696hoHK2jyFkjvhsXgwoPA/HwqpxeMaZn3C vNkbHYZRJw2IbeD08cA8VxQ0GTDvaV7WltTfh+dYSvEXJBaCW+Z6Q9Wbb6KXKsZhU6Su8An5 pFx+RHZ64xpNQFdIP1WHcG/B9Sf8C6IB46H3nT7N+AiCYb1taO5SmMGZ2hpH5JmaMo7UkPGF Rdb8/BKf57q6DXlUhxLw4ESrNgqigSnXg8FtNrGRAWhKp16p8rKZ5t/K3l3/n5s9/OQe1FO9 EpBdVcss8+CXbNLi83wpiG6XSjJlCf8+40bS3TWJvwW+h4OIEZ/Qs+pm27/v+K2Hl+TX7m1A CRZIN0dKb4qlH/4C2B1I8vWXHSb/ltoTEDFL7QNa02p7gRyK1JmM7jUFmi62URZbg0d542QX Rkxy1NfYQS8+KZ/gZDOGZ6kampFCDq1EN8fBDDXCVhsWb1giYKLISMRb9xTgUsdW2jH8exJo HS4nalFUCQwApsDTR7vrq0vjZhaTRJfbMOabSm65Q7LLbLpM7XU0da8nFAB2YsZAuNFNkZjr IyK9Ygrfd/jWj/hzAqTG68q5Ag0ET7fipwEQANk8YVZWdMVW2EFvLLoYeW8Mf3MG1mvm9BcM D36H8RjkG3hsbgpQ8wacQBlRKZdvgIpcxyUlOEJ1VFpMHdr/geq5J8n1pM45iGCCedik4QHn QzA/qNm1laSMW7QdFMBH4Y4Wc9qP+xPz5BdNWx1Z0VkYS6MtBqvzMe2VkMKMs0iG06omnaOg uUxNu78kR4rQFjo1+3hgJsYSJrMk1J5iO/UN9Zt17UlVw+MZmkvkLhOyN85WPIHaHh0TBwP5 5hS2SATP1Cgw7oeSD9Hxv79yWY17lQspBnNaj6uNub5TbqzsjR7nWDaQH/RaRqj3qMhNT3le OD03ygabiEcEMOZ4sTj161T3a8KpaQTZzCalIONa5+tCr6mYrDUlChRiQltj8qPpkezLydoP I9vCyQpPQJtgf31vq+EADum2Hohfasc3QYDnRXAJ31b0CmB577jH8tjUQGMgxRz3aS2VWVc0 0lV8SlV8Ki78pzUOOob6JPPMmcH3y3JasGnI8IDudlugRIdDGrB5AA1J2ustfZ7BInlJNBfk ASR2L7i0HUnmz/hWX1Wpg1tUX24ApYL9rD+4pobAR47e5UGTn9jQBVyjGQbLIE/OKMFx0TzT WBR5OQnETrS/nO9qem6rtyPJMVx0qaT1j1qwEOz8PUP667QYQyLHkrclh4Nb9s91/DdRXtTf ABEBAAGJAh8EGAECAAkFAk+34qcCGwwACgkQIU39jEx16gV2Ag/9HxRm81h1DZoBc8OFqV0W KiPJOlPtl+LLgIR3BZxio2zlt+FaDqp6slgOdBp1AY4mdQfP7aBUeEbb6ebvbNJeq00XKUS6 bJxlr92AQoHHV8htNj2CUev0gl99Sj5GcLSpI8fFa8D9H9XSOEJNFLS7E0hW2V00hY3i0E1+ 43/h/+cVxDRXY57EEO0HSR8BFWBboEZRsA5PjNv2varyZmiF6etsgSoovaDx+2oY8F9Q0aeZ X3XzJ+iahCykCWyXmoppjEDtU1gIyylWkWXk30VDFVCJopnUeNZhFH8/By3iE3gxFmpamhXU QRNNQXo+/hNu3LvQWcakvVgSwOgjC8BFCoCjB2bfDXPkFMwHbyVxdKInKHSsK9gvPGFU/bOp KKx9JgY4b5fkLEvsrGV0OkpqqLVnmq2By4r8bRglv75lCcX++JEZfewBRSKsMovOFF+bmt8w 9+MGL4mompGZx+ZOuYjhZ+kj4iav4FsyCyu172ZDY9Mt8dHLiUP9uaubISMo9h7jpkIyOOFQ nFrM+WsPNdJ8Fz7uIHkHCuF/P9ws+kerxxbw6CRhbIPyVnwUOCycpBVPmEHSuUiGyytTWH94 9ehyVD5oE5mZ4tyECv+WjD8gxdiiHHxDjojxv2JpXWRupWQ/VxqBLdHrz3ZJvEuy1km0bWUV P40bwka7KRU7ncc= Message-ID: <0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org> Date: Thu, 30 Jan 2020 00:06:48 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Apache SpamAssassin 3.4.4 was recently released [1], and fixes an issue of security note where nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805.  This issue is less stealthy and attempts to exploit the issue will throw warnings.  Thanks to Damian Lukowski at credativ for reporting the issue ethically.  With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult.  In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. This issue has been assigned CVE id CVE-2020-1931 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org.  For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1931 -- Kevin A. McGrail KMcGrail@Apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 --------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscribe@spamassassin.apache.org For additional commands, e-mail: announce-help@spamassassin.apache.org