svn commit: r524719 - head/security/vuxml
Cy Schubert
Cy.Schubert at cschubert.com
Fri Jan 31 18:17:09 UTC 2020
On January 31, 2020 8:02:45 AM PST, Niclas Zeising <zeising at FreeBSD.org> wrote:
>Author: zeising
>Date: Fri Jan 31 16:02:45 2020
>New Revision: 524719
>URL: https://svnweb.freebsd.org/changeset/ports/524719
>
>Log:
> vuxml: Add entries for spamassasin vulnerabilities.
>
>Modified:
> head/security/vuxml/vuln.xml
>
>Modified: head/security/vuxml/vuln.xml
>==============================================================================
>--- head/security/vuxml/vuln.xml Fri Jan 31 15:50:23 2020 (r524718)
>+++ head/security/vuxml/vuln.xml Fri Jan 31 16:02:45 2020 (r524719)
>@@ -58,6 +58,42 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+ <vuln vid="c86bfee3-4441-11ea-8be3-54e1ad3d6335">
>+ <topic>spamassassin -- Nefarious rule configuration files can run
>system commands</topic>
>+ <affects>
>+ <package>
>+ <name>spamassassin</name>
>+ <range><lt>3.4.4</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+ <p>The Apache SpamAssassin project reports:</p>
>+ <blockquote
>cite="ihttps://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e">
>+ <p>A nefarious rule configuration (.cf) files can be configured to
>+ run system commands. This issue is less stealthy and attempts to
>+ exploit the issue will throw warnings.</p>
>+ <p>Thanks to Damian Lukowski at credativ for reporting the issue
>+ ethically. With this bug unpatched, exploits can be
>injected in a
>+ number of scenarios though doing so remotely is difficult. In
>+ addition to upgrading to SA 3.4.4, we again recommend that users
>+ should only use update channels or 3rd party .cf files from
>trusted
>+ places.</p>
>+ </blockquote>
>+ </body>
>+ </description>
>+ <references>
>+
><url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e</url>
>+
><url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache.org%3e</url>
>+ <cvename>CVE-2020-1930</cvename>
>+ <cvename>CVE-2020-1931</cvename>
>+ </references>
>+ <dates>
>+ <discovery>2020-01-28</discovery>
>+ <entry>2020-01-31</entry>
>+ </dates>
>+ </vuln>
>+
> <vuln vid="b4e5f782-442d-11ea-9ba9-206a8a720317">
> <topic>sudo -- Potential bypass of Runas user restrictions</topic>
> <affects>
Can you remove the entry I added yesterday, please? Or, I can do that at noon my time.
--
Pardon the typos and autocorrect, small keyboard in use.
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://www.FreeBSD.org
The need of the many outweighs the greed of the few.
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the svn-ports-all
mailing list