svn commit: r524719 - head/security/vuxml

Cy Schubert Cy.Schubert at cschubert.com
Fri Jan 31 18:17:09 UTC 2020 

On January 31, 2020 8:02:45 AM PST, Niclas Zeising <zeising at FreeBSD.org> wrote:
>Author: zeising
>Date: Fri Jan 31 16:02:45 2020
>New Revision: 524719
>URL: https://svnweb.freebsd.org/changeset/ports/524719
>
>Log:
>  vuxml: Add entries for spamassasin vulnerabilities.
>
>Modified:
>  head/security/vuxml/vuln.xml
>
>Modified: head/security/vuxml/vuln.xml
>==============================================================================
>--- head/security/vuxml/vuln.xml	Fri Jan 31 15:50:23 2020	(r524718)
>+++ head/security/vuxml/vuln.xml	Fri Jan 31 16:02:45 2020	(r524719)
>@@ -58,6 +58,42 @@ Notes:
>   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+  <vuln vid="c86bfee3-4441-11ea-8be3-54e1ad3d6335">
>+    <topic>spamassassin -- Nefarious rule configuration files can run
>system commands</topic>
>+    <affects>
>+      <package>
>+	<name>spamassassin</name>
>+	<range><lt>3.4.4</lt></range>
>+      </package>
>+    </affects>
>+    <description>
>+      <body xmlns="http://www.w3.org/1999/xhtml">
>+	<p>The Apache SpamAssassin project reports:</p>
>+	<blockquote
>cite="ihttps://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e">
>+	  <p>A nefarious rule configuration (.cf) files can be configured to
>+	    run system commands.  This issue is less stealthy and attempts to
>+	    exploit the issue will throw warnings.</p>
>+	  <p>Thanks to Damian Lukowski at credativ for reporting the issue
>+            ethically.  With this bug unpatched, exploits can be
>injected in a
>+	    number of scenarios though doing so remotely is difficult.  In
>+	    addition to upgrading to SA 3.4.4, we again recommend that users
>+	    should only use update channels or 3rd party .cf files from
>trusted
>+	    places.</p>
>+	</blockquote>
>+      </body>
>+    </description>
>+    <references>
>+     
><url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e</url>
>+     
><url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache.org%3e</url>
>+      <cvename>CVE-2020-1930</cvename>
>+      <cvename>CVE-2020-1931</cvename>
>+    </references>
>+    <dates>
>+      <discovery>2020-01-28</discovery>
>+      <entry>2020-01-31</entry>
>+    </dates>
>+  </vuln>
>+
>   <vuln vid="b4e5f782-442d-11ea-9ba9-206a8a720317">
>     <topic>sudo -- Potential bypass of Runas user restrictions</topic>
>     <affects>

Can you remove the entry I added yesterday, please? Or, I can do that at noon my time.


-- 
Pardon the typos and autocorrect, small keyboard in use. 
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://www.FreeBSD.org

The need of the many outweighs the greed of the few.

Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the svn-ports-all mailing list