[Bug 254526] [PATCH] mail/spamassassin Update to 3.4.5 fixing CVE-2020-1946
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Mar 24 20:03:08 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254526
--- Comment #6 from commit-hook at FreeBSD.org ---
A commit references this bug:
Author: cy
Date: Wed Mar 24 20:02:53 UTC 2021
New revision: 569156
URL: https://svnweb.freebsd.org/changeset/ports/569156
Log:
mail/spamassassin: Update 3.4.4 --> 3.4.5, fixing CVE-2020-1946
According to https://s.apache.org/ng9u9, 3.4.5 fixes CVE-2020-1946.
The announce text:
Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue
of security note where malicious rule configuration (.cf) files can be
configured to run system commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in a number
of scenarios. In addition to upgrading to SA 3.4.5, users should only use
update channels or 3rd party .cf files from trusted places.
Apache SpamAssassin would like to thank Damian Lukowski at credativ for
ethically reporting this issue.
This issue has been assigned CVE id CVE-2020-1946 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the https://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]: https://s.apache.org/ng9u9
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
PR: 254526
Submitted by: cy
Reported by: cy
Approved by: maintainer (zeising)
MFH: 2021Q1
Security: https://s.apache.org/ng9u9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
Changes:
head/mail/spamassassin/Makefile
head/mail/spamassassin/distinfo
head/mail/spamassassin/pkg-plist
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-ports-bugs
mailing list