svn commit: r480751 - head/security/vuxml

Niclas Zeising zeising at FreeBSD.org
Wed Sep 26 18:09:08 UTC 2018 

Author: zeising
Date: Wed Sep 26 18:09:07 2018
New Revision: 480751
URL: https://svnweb.freebsd.org/changeset/ports/480751

Log:
  Document spamassassin - multiple vulnerabilities
  
  Document spamassassin vulnerabilities, as found in this announcement:
  https://seclists.org/oss-sec/2018/q3/242

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Sep 26 17:31:28 2018	(r480750)
+++ head/security/vuxml/vuln.xml	Wed Sep 26 18:09:07 2018	(r480751)
@@ -58,6 +58,49 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="613193a0-c1b4-11e8-ae2d-54e1ad3d6335">
+    <topic>spamassassin -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>spamassassin</name>
+	<range><lt>3.4.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>the Apache Spamassassin project reports:</p>
+	<blockquote cite="https://seclists.org/oss-sec/2018/q3/242">
+	  <p>In Apache SpamAssassin, using HTML::Parser, we setup an object and
+	    hook into the begin and end tag event handlers  In both cases, the
+	    "open" event is immediately followed by a "close" event - even if
+	    the tag *does not* close in the HTML being parsed.</p>
+	  <p>Because of this, we are missing the "text" event to deal with
+	    the object normally.  This can cause carefully crafted emails that
+	    might take more scan time than expected leading to a Denial of
+	    Service.</p>
+	  <p>Fix a reliance on "." in @INC in one configuration script.  Whether
+	    this can be exploited in any way is uncertain.</p>
+	  <p>Fix a potential Remote Code Execution bug with the PDFInfo plugin.
+	    Thanks to cPanel Security Team for their report of this issue.</p>
+	  <p> Fourth, this release fixes a local user code injection in the
+	    meta rule syntax. Thanks again to cPanel Security Team for their
+	    report of this issue.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://seclists.org/oss-sec/2018/q3/242</url>
+        <cvename>CVE-2017-15705</cvename>
+	<cvename>CVE-2016-1238</cvename>
+	<cvename>CVE-2018-11780</cvename>
+	<cvename>CVE-2018-11781</cvename>
+    </references>
+    <dates>
+      <discovery>2018-09-16</discovery>
+      <entry>2018-09-26</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="bad59128-c188-11e8-9d40-f0def10dca57">
     <topic>wesnoth -- Code Injection vulnerability</topic>
     <affects>

More information about the svn-ports-all mailing list