Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3804
spamassassin security update
10 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: spamassassin
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1946
Reference: ESB-2021.1232
ESB-2021.1213
ESB-2021.1124
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:4315
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: spamassassin security update
Advisory ID: RHSA-2021:4315-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4315
Issue date: 2021-11-09
CVE Names: CVE-2020-1946
=====================================================================
1. Summary:
An update for spamassassin is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
The SpamAssassin tool provides a way to reduce unsolicited commercial email
(spam) from incoming email.
Security Fix(es):
* spamassassin: Malicious rule configuration files can be configured to run
system commands (CVE-2020-1946)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1943276 - CVE-2020-1946 spamassassin: Malicious rule configuration files can be configured to run system commands
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
spamassassin-3.4.4-4.el8.src.rpm
aarch64:
spamassassin-3.4.4-4.el8.aarch64.rpm
spamassassin-debuginfo-3.4.4-4.el8.aarch64.rpm
spamassassin-debugsource-3.4.4-4.el8.aarch64.rpm
ppc64le:
spamassassin-3.4.4-4.el8.ppc64le.rpm
spamassassin-debuginfo-3.4.4-4.el8.ppc64le.rpm
spamassassin-debugsource-3.4.4-4.el8.ppc64le.rpm
s390x:
spamassassin-3.4.4-4.el8.s390x.rpm
spamassassin-debuginfo-3.4.4-4.el8.s390x.rpm
spamassassin-debugsource-3.4.4-4.el8.s390x.rpm
x86_64:
spamassassin-3.4.4-4.el8.x86_64.rpm
spamassassin-debuginfo-3.4.4-4.el8.x86_64.rpm
spamassassin-debugsource-3.4.4-4.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-1946
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYYreB9zjgjWX9erEAQirBw//T0QpMvxIMQEeW+G8tLob/7UUKJ4YmdNT
tIMLLPobvJZi2nfSAU/xU6nHOwgbsswXA7Be049NB1E6VSJktp6MQjiAemRipas0
Tde4xkJSRkTEqb5wLzSvLnesUuuw1/VLxtkD5aIVRoqJ2IhGZKZB0ffsFD+V9AFc
UPw0y6pTj5tXs2HvLZ7by63ufcdEBrJls4etEAHWfD7OKc1ZSZ/OIr4o5Qhiieog
QVyqdn8B8sULEAbASEaUmQtUfkFPD4DKP84pylmndX9UUigIJcRXYZOmF2q8C5ok
Q7mx9iEA8nZy+T0C5MPWrCmpR5qiIocFjSi+IE+HgymX50J+krdZcZ8eeYblI65V
TOjeodJBQeieEAagbY+8QpWM92vK8uJ+YZ/dlB1t19nPNnKidDTPjVz0IPNX6MDA
OyAfdTwLcQxDgJBOFP9F+vgvKjjciPbnbVO4D4QpYtR4HBQp7tKgOIZHrGIG3eUR
gaR+7XE7CffgdDGlzrEKSsIfkn+9AtxgfREv7Z1oYfRfv1dbr42LYZyqJli1Bwlw
zfA3GcEoWDPPwsxTF2MZg/wwYuYBIaPLrRqNEtZvC5g1YPRT5RX6DMMvSoT5NZMt
IAfpqoTrVa2YJjBfYm/nRhYFcxioqXQ9C/9jisOTidGZeoNTgY5XisWAbJj+fLRw
wCZUEDzBG5g=
=QSzU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYYtU3uNLKJtyKPYoAQg5DBAAnrIUEWiAchKXTdl+ms9+uboM1UTE4EdQ
eTrFB+4zddcuvvQPoB1AiTh1A2ITv4Zcj/FrcIVw7cPtCUq3vn5G1oY5Ev6yU8DR
381ui8CzeoFbysncLalqb2V0prnXuZmE5YpsU7w8eEtQeUJHKvhBzbTMjnRcOAIe
l4iOXc9Wco9jdDmUJD6hm8hBSwvxzrJ06RuxaWzcYHFVb4CTEoGuTC8BZqCQIbWZ
BZdMOnzwLnLCQgbvLvIY3TLn9HYna/+VF3EfBPHmSPm+b74/h13F8Q8KZvfgaiU5
oDXgaUEYdn5K8XCfCp+pO1rluBfoXpfeKGVDUHXaB0f2P5qAfUDxiatl7pooLJGq
MjRlQyz1+KWJsX8V9zr3zKuxHCxoS1WnLM72hmXvI3k/mQ18mwfwNouAfDUZ2mpm
RHhdhqPeInwlgcBXzgdMF5fHCgGrqhm8A4oMB3X7MAvK+fkBM7/MlNg6B4E1kk4f
Vb3sDJOO+J2nlwwmJXoYE28JEvxOV84b65piOdnDg51hHnBbIogWXosVuGBGQz+2
HWmNy7dj0rzxUnhhpxy6KBPChXqG+Qr8bec/+2BX9SU+Pz8q9F6YzpmI4IpTLehE
lRmpIOXaG6fIdu+tf4Ou9YDRqLXZEwICqJNRHMcz8DRHZz523Jo5Bji8QWBHS4dc
j5GFNBY4k5M=
=rxla
-----END PGP SIGNATURE-----