because upstream has no brain this update is now urgent - yeah, blow out security details without giving the rest of the world time for updates -------- Weitergeleitete Nachricht -------- Betreff: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 Datum: Sun, 16 Sep 2018 12:59:12 -0400 Von: Kevin A. McGrail <kmcgrail> An: Spamassassin <users.org>, SpamAssassin Devel List <dev.org>, announce.org, announce Kopie (CC): security.org, oss-security.com Apache SpamAssassin 3.4.2 was recently released [1], and fixes several issues of security note. First, a denial of service vulnerability that exists in all modern versions. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believe to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future. Therefore, we strongly recommend all users of these versions upgrade to Apache SpamAssassin 3.4.2 as soon as possible. This issue has been assigned CVE id CVE-2017-15705 [2]. Second, this release also fixes a reliance on "." in @INC in one configuration script. Whether this can be exploited in any way is uncertain. This issue has been assigned CVE id CVE-2016-1238 [3]. Third, this release fixes a potential Remote Code Execution bug with the PDFInfo plugin. Thanks to cPanel Security Team for their report of this issue. This issue has been assigned CVE id CVE-2018-11780 [4]. Fourth, this release fixes a local user code injection in the meta rule syntax. Thanks again to cPanel Security Team for their report of this issue. This issue has been assigned CVE id CVE-2018-11781 [5]. To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705 [3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238 [4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780 [5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
Duplicate of bug 1629474.
spamassassin-3.4.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1bf4c5356f
spamassassin-3.4.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cfe3700eba
spamassassin-3.4.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d42addb489
Two things I see here https://src.fedoraproject.org/rpms/spamassassin/blob/master/f/spamassassin.spec 1) %global saversion 3.004001 Should be 3.004002 2) Source12: sought.conf Should be removed, see bug #1630362
Yeah, will fix those up. Really the entire spec needs a bit of cleanup, but I wanted to get these updates out. Thanks for the feedback.
spamassassin-3.4.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1bf4c5356f
spamassassin-3.4.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d42addb489
spamassassin-3.4.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cfe3700eba
Seeing: Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_body_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_compensate.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_dnsbl_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_drugs.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_dynrdns.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_fake_helo_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_head_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_html_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_meta_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_net_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_phrases.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_porn.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/23_bayes.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/72_active.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407. Sep 20 12:38:22 mail mimedefang-multiplexor[2627]: w8KIcEQA030293: Worker 9 stderr: config: configuration file "/usr/share/spamassassin/73_sandbox_manual_scores.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Conf/Parser.pm line 407.
Probably related to comment #5.
@Philip Prindeville: what about running "sa-update" as it is required after any version jump (often not remembered becaus eupstream only releases every half decade) [root@mail-gw:~]$ locate 20_advance_fee.cf /usr/share/spamassassin/20_advance_fee.cf /var/lib/spamassassin/3.004001/updates_spamassassin_org/20_advance_fee.cf /var/lib/spamassassin/3.004002/updates_spamassassin_org/20_advance_fee.cf
(In reply to Harald Reindl from comment #12) > @Philip Prindeville: what about running "sa-update" as it is required after > any version jump (often not remembered becaus eupstream only releases every > half decade) > > [root@mail-gw:~]$ locate 20_advance_fee.cf > /usr/share/spamassassin/20_advance_fee.cf > /var/lib/spamassassin/3.004001/updates_spamassassin_org/20_advance_fee.cf > /var/lib/spamassassin/3.004002/updates_spamassassin_org/20_advance_fee.cf Hmm... I was missing DBI and Net::DNS::Nameserver it seems. Not sure why these weren't dependencies of sa-update. Installed those, then re-ran sa-update and updatedb. Not seeing the message after "systemctl reload mimedefang.service".
because they are no dependency at all? [root@mail-gw:~]$ rpm -qa | grep -i dbi libdbi-0.9.0-9.fc27.x86_64 [root@mail-gw:~]$ rpm -qa | grep -i perl | grep -i dns perl-Net-DNS-1.15-1.fc27.noarch and that is a machine running hundrets of domains for years now all your stuff above is from "mail mimedefang-multiplexor" which has little to nothing to do with SpamAssassin!
# sa-update -v -D Sep 20 13:02:11.617 [30434] dbg: logger: adding facilities: all Sep 20 13:02:11.617 [30434] dbg: logger: logging level is DBG Sep 20 13:02:11.617 [30434] dbg: generic: SpamAssassin version 3.4.2 Sep 20 13:02:11.617 [30434] dbg: generic: Perl 5.026002, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin Sep 20 13:02:11.617 [30434] dbg: config: timing enabled Sep 20 13:02:11.620 [30434] dbg: config: score set 0 chosen. Sep 20 13:02:11.629 [30434] dbg: generic: sa-update version 3.4.2 / svn1840377 Sep 20 13:02:11.629 [30434] dbg: generic: using update directory: /var/lib/spamassassin/3.004002 Sep 20 13:02:11.834 [30434] dbg: diag: perl platform: 5.026002 linux Sep 20 13:02:11.834 [30434] dbg: diag: [...] module installed: Digest::SHA, version 6.02 Sep 20 13:02:11.834 [30434] dbg: diag: [...] module installed: HTML::Parser, version 3.72 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Net::DNS, version 1.15 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: NetAddr::IP, version 4.079 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Time::HiRes, version 1.9753 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Archive::Tar, version 2.28 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: IO::Zlib, version 1.10 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Digest::SHA1, version 2.13 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: MIME::Base64, version 3.15 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: DB_File, version 1.842 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Net::SMTP, version 3.11 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Mail::SPF, version v2.009 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Geo::IP, version 1.50 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Net::CIDR::Lite, version 0.21 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Razor2::Client::Agent, version 2.84 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: IO::Socket::IP, version 0.39 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: IO::Socket::INET6, version 2.72 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: IO::Socket::SSL, version 2.051 Sep 20 13:02:11.835 [30434] dbg: diag: [...] module installed: Compress::Zlib, version 2.074 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: Mail::DKIM, version 0.42 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module not installed: DBI ('require' failed) Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: Getopt::Long, version 2.5 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: LWP::UserAgent, version 6.34 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: HTTP::Date, version 6.02 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: Encode::Detect::Detector, version 1.01 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: Net::Patricia, version 1.22 Sep 20 13:02:11.836 [30434] dbg: diag: [...] module not installed: Net::DNS::Nameserver ('require' failed) Sep 20 13:02:11.836 [30434] dbg: diag: [...] module installed: BSD::Resource, version 1.2911 Sep 20 13:02:11.837 [30434] dbg: gpg: Searching for 'gpg2' Sep 20 13:02:11.837 [30434] dbg: util: current PATH is: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin Sep 20 13:02:11.837 [30434] dbg: util: executable for gpg2 was found at /usr/bin/gpg2 Sep 20 13:02:11.838 [30434] dbg: gpg: found /usr/bin/gpg2 Sep 20 13:02:11.838 [30434] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 0C2B1D7175B852C64B3CDC716C55397824F434CE Sep 20 13:02:11.839 [30434] dbg: util: secure_tmpfile created a temporary file /tmp/.spamassassin30434fjfhoGtmp Sep 20 13:02:11.839 [30434] dbg: channel: attempting channel updates.spamassassin.org Sep 20 13:02:11.839 [30434] dbg: channel: using existing directory /var/lib/spamassassin/3.004002/updates_spamassassin_org Sep 20 13:02:11.839 [30434] dbg: channel: channel cf file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf Sep 20 13:02:11.839 [30434] dbg: channel: channel pre file /var/lib/spamassassin/3.004002/updates_spamassassin_org.pre Sep 20 13:02:11.839 [30434] dbg: channel: metadata version = 1841300, from file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf Sep 20 13:02:11.854 [30434] dbg: dns: 2.4.3.updates.spamassassin.org => 1841300, parsed as 1841300 Sep 20 13:02:11.854 [30434] dbg: channel: current version is 1841300, new version is 1841300, skipping channel Sep 20 13:02:11.854 [30434] dbg: diag: updates complete, exiting with code 1 Update finished, no fresh updates were available #
spamassassin-3.4.2-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8f0df2c366
spamassassin-3.4.2-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-46d7a7f63e
spamassassin-3.4.2-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6ed251c42b
The version issue has been corrected in the -2 version. Please test, thanks.
spamassassin-3.4.2-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8f0df2c366
spamassassin-3.4.2-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6ed251c42b
spamassassin-3.4.2-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-46d7a7f63e
spamassassin-3.4.2-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
spamassassin-3.4.2-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
spamassassin-3.4.2-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.