Benoit Tellier created JAMES-3523:
-------------------------------------
Summary: Vulnerable third party application: test and recomand
SpamAssassin 3.4.5
Key: JAMES-3523
URL: https://issues.apache.org/jira/browse/JAMES-3523
Project: James Server
Issue Type: Task
Components: spamassassin
Reporter: Benoit Tellier
SpamAssassin is affected by CVE-2020-1946:
*Apache SpamAssassin malicious rule configuration (.cf) files can be configured
to run system commands*
Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of
security note where malicious rule configuration (.cf) files can be configured
to run system commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of
scenarios. In addition to upgrading to SA 3.4.5, users should only use update
channels or 3rd party .cf files from trusted places.
Apache SpamAssassin would like to thank Damian Lukowski at credativ for
ethically reporting this issue.
This issue has been assigned CVE id CVE-2020-1946 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the spamassassin.apache.org web site.
Apache SpamAssassin Security Team
We should:
- Use 3.4.5 version in our tests
- Recommand the use of SpamAssassin 3.4.5 in Third party softwares section of
our changelog
- Check the documentation for possible version mentions
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
