Bug 1629474

Summary: Possible vulnerable for CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Product: Red Hat Enterprise Linux 7 Reporter: Frank Büttner <bugzilla>
Component: spamassassinAssignee: Ondřej Lysoněk <olysonek>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: grenier, jh.redhat-2018, olysonek, phil.randal, shiva, simon.matter, smokris
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spamassassin-3.4.0-3.el7_5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-12 08:55:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Büttner 2018-09-16 17:06:29 UTC 
Description of problem:
3.4.2 was released as an security release. 

Version-Release number of selected component (if applicable):
spamassassin-3.4.0-2.el7.x86_64


Additional info:
See:
https://spamassassin.apache.org/
Comment 2 Kenneth Porter 2018-09-19 02:47:04 UTC 
Duplicate of bug 1629491.
Comment 3 Ondřej Lysoněk 2018-09-19 14:05:11 UTC 
The impact of the CVEs on RHEL-7 is currently being investigated.
Comment 4 Phil Randal 2018-09-27 10:15:07 UTC 
From the release notes:

"However, there is one specific pressing reason to upgrade. Specifically, we will stop producing SHA-1 signatures for rule updates.  This means that while we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update. 

*** If you do not update to 3.4.2, you will be stuck at the last ruleset
    with SHA-1 signatures in the near future. ***"
Comment 5 Ondřej Lysoněk 2018-10-12 08:59:05 UTC 
(In reply to Phil Randal from comment #4)
> From the release notes:
> 
> "However, there is one specific pressing reason to upgrade. Specifically, we
> will stop producing SHA-1 signatures for rule updates.  This means that
> while we produce rule updates with the focus on them working for any release
> from
> v3.3.2 forward, they will start failing SHA-1 validation for sa-update. 
> 
> *** If you do not update to 3.4.2, you will be stuck at the last ruleset
>     with SHA-1 signatures in the near future. ***"

Rebase of spamassassin is being tracked here:
https://bugzilla.redhat.com/show_bug.cgi?id=1479087