ESB-2018.3097 - [Win][UNIX/Linux][RedHat] spamassassin: Multiple vulnerabilities 2018-10-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3097
                  Important: spamassassin security update
                              12 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           spamassassin
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-11781 CVE-2017-15705 

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2916

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running spamassassin check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: spamassassin security update
Advisory ID:       RHSA-2018:2916-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2916
Issue date:        2018-10-11
CVE Names:         CVE-2017-15705 CVE-2018-11781 
=====================================================================

1. Summary:

An update for spamassassin is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x

3. Description:

The SpamAssassin tool provides a way to reduce unsolicited commercial email
(spam) from incoming email.

Security Fix(es):

* spamassassin: Certain unclosed tags in crafted emails allow for scan
timeouts and result in denial of service (CVE-2017-15705)

* spamassassin: Local user code injection in the meta rule syntax
(CVE-2018-11781)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1629521 - CVE-2017-15705 spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service
1629536 - CVE-2018-11781 spamassassin: Local user code injection in the meta rule syntax

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
spamassassin-3.4.0-4.el7_5.src.rpm

x86_64:
spamassassin-3.4.0-4.el7_5.x86_64.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
spamassassin-3.4.0-4.el7_5.src.rpm

ppc64:
spamassassin-3.4.0-4.el7_5.ppc64.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.ppc64.rpm

ppc64le:
spamassassin-3.4.0-4.el7_5.ppc64le.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.ppc64le.rpm

s390x:
spamassassin-3.4.0-4.el7_5.s390x.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.s390x.rpm

x86_64:
spamassassin-3.4.0-4.el7_5.x86_64.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
spamassassin-3.4.0-4.el7_5.src.rpm

aarch64:
spamassassin-3.4.0-4.el7_5.aarch64.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.aarch64.rpm

ppc64le:
spamassassin-3.4.0-4.el7_5.ppc64le.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.ppc64le.rpm

s390x:
spamassassin-3.4.0-4.el7_5.s390x.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.s390x.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
spamassassin-3.4.0-4.el7_5.src.rpm

x86_64:
spamassassin-3.4.0-4.el7_5.x86_64.rpm
spamassassin-debuginfo-3.4.0-4.el7_5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-15705
https://access.redhat.com/security/cve/CVE-2018-11781
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW7/A+NzjgjWX9erEAQhMJRAAgK+kYmk+675RFpQ2gKnj8X09Tbr5pL8Y
KyZwTB2jlVwxjhu/X9ChYKmBT5Bvp6Tqjgzk23YOlxom8UFLUKW+BPJKfdPpWsFj
G6279Mcspta+Kvvs/g13jhdF2FVVBMVnPwFmum279tFc+KVSjtO9ySLcGSUkTbEz
PXMexOz8Jx7ZGrOtQOyoqL++jNJqP5Bfuauma4Sf6iF36jxUQNVRz6KKEAICUPOv
/kLY4eljfoDRDO+LjUWIKU99PoVkAKXcRw/7C6XM4RWJQnHE27RTY51iRlY64Tip
JltG4vdZknPGMJglubHGWtC/zrdu9S5W6KjtnFQ9sbEVjPoxaR0kIOH7P6HhiXbw
8RHPgzyOEu/ZxLoEDM6V0GKhw3+IrfJ6OtW69htxrGjes1iHu1tyonzJFsAi5rW/
fqkI8YPAUS53IYGujk12q67xrQm04PwFn3kWMMC0C73KstS8SJqroXZkNB9CO8kv
12LXKTRbHRTk2m/Z6t1lqEPgLbjv0jGVmqL0krZ1Rb1CgYgAYllQ30KAzk8Eq9tY
Q+Uvx5vYccmYBXhzxkzhn44uj726QX5MvxQZ2ihcEs++F9JCLBMsX4+NXc3en9D6
1DwcujffenZWKWKpj1tVU+dyeLK44qYlVlp67Mv6FL+1fMdt3betZ9m1oa7WSqVg
gBMYdMOg9mU=
=7fxI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7/tFGaOgq3Tt24GAQiffA/+IHSgsEmp2Uaoo9NDoe9uMXQcfxViL1As
s/feZQzlB9kDzH7yHsBXzh9eAgyLX2IUK/3YT7X0CRdk2gaf09aTTQoMmWlIuqFE
lsIqH89JpzDuYw7QxFts/mY4nXZZ5Zytvs+IkMFXLni9gsHe2PcYOK8OC9FNvSZG
oRzubGKxc+r807HyczyLv/X6P/5kHt3Zu0GFcQf4AMBqeTVKTfTljn1fk2gVyTf7
sfKkF+uSqPOmMDssC5b8DKGzwSwm2MzS/XK8NFUryytM89IYl6tJzsgTfYtnWWRo
0Cth9fLjMET62bVeDZZiRMesPtMEekuQeza6dnrFcSoApCnItVt57H0CxMihUUmW
ssi/gWWtWdXswOOYiKkLgZT3y3XuqW44zzAgEzUMkQEvVtNesVTq//ziA15U9fxT
b+tiSZoLr3RRuQc9bg1hjiRJQdkR5nZpqoGIHXZKnojNTpDChuv8MbfeDuPocR0C
4i5+qtuIUIewqR843KoDUsC+ja/e4kOI1CQQOJL/pj4OJ4duRc2FAQ40i4+fYRAe
s4rpBEzVav/wt3mks0WtUwoxPO6R1CKn+s7yBLavh2ASFM3IND03QQ0WyIBiqJQK
y02Mtaws3KPzpTaMKvelFH46p0THGvmANE5RHpq0/UvPw0x+A6KlTGZGYjaVJV77
j+C5qVeLSd8=
=93FF
-----END PGP SIGNATURE-----

« Back to bulletins