1855463 – Need version bump to spamassassin 3.4.4

Bug 1855463 - Need version bump to spamassassin 3.4.4

Summary: Need version bump to spamassassin 3.4.4

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	spamassassin
Sub Component:
Version:	31
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-09 22:46 UTC by Philip Prindeville
Modified:	2020-07-10 00:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-07-10 00:07:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Philip Prindeville 2020-07-09 22:46:11 UTC

Description of problem:

According to:

https://spamassassin.apache.org/news.html

4 CVE's have been fixed since 3.4.2 was released.

Version-Release number of selected component (if applicable):

3.4.2

How reproducible:

N/A

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Philip Prindeville 2020-07-09 22:47:21 UTC

CVE's fixed in 3.4.3

CVE-2019-12420 for Multipart Denial of Service Vulnerability
CVE-2018-11805 for nefarious CF files can be configured to run system commands without any output or errors.

CVE's fixed in 3.4.4

CVE-2020-1931 for Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.
CVE-2020-1930 for Nefarious rule configuration (.cf) files can be configured to run system commands with sa-compile.

Comment 2 Carl George 🤠 2020-07-10 00:07:17 UTC

For F31 this was fixed in https://bodhi.fedoraproject.org/updates/FEDORA-2020-24dac7d890 by olysonek.

Note You need to log in before you can comment on or make changes to this bug.