svn commit: r524719 - head/security/vuxml
Niclas Zeising
zeising at FreeBSD.org
Fri Jan 31 16:02:46 UTC 2020
Author: zeising
Date: Fri Jan 31 16:02:45 2020
New Revision: 524719
URL: https://svnweb.freebsd.org/changeset/ports/524719
Log:
vuxml: Add entries for spamassasin vulnerabilities.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Jan 31 15:50:23 2020 (r524718)
+++ head/security/vuxml/vuln.xml Fri Jan 31 16:02:45 2020 (r524719)
@@ -58,6 +58,42 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="c86bfee3-4441-11ea-8be3-54e1ad3d6335">
+ <topic>spamassassin -- Nefarious rule configuration files can run system commands</topic>
+ <affects>
+ <package>
+ <name>spamassassin</name>
+ <range><lt>3.4.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache SpamAssassin project reports:</p>
+ <blockquote cite="ihttps://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e">
+ <p>A nefarious rule configuration (.cf) files can be configured to
+ run system commands. This issue is less stealthy and attempts to
+ exploit the issue will throw warnings.</p>
+ <p>Thanks to Damian Lukowski at credativ for reporting the issue
+ ethically. With this bug unpatched, exploits can be injected in a
+ number of scenarios though doing so remotely is difficult. In
+ addition to upgrading to SA 3.4.4, we again recommend that users
+ should only use update channels or 3rd party .cf files from trusted
+ places.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e</url>
+ <url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache.org%3e</url>
+ <cvename>CVE-2020-1930</cvename>
+ <cvename>CVE-2020-1931</cvename>
+ </references>
+ <dates>
+ <discovery>2020-01-28</discovery>
+ <entry>2020-01-31</entry>
+ </dates>
+ </vuln>
+
<vuln vid="b4e5f782-442d-11ea-9ba9-206a8a720317">
<topic>sudo -- Potential bypass of Runas user restrictions</topic>
<affects>
More information about the svn-ports-head
mailing list