Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 436
Alerts This Week
Warning Icon 1 436

Debian 8: DLA-1578-1 Critical: Remote Code Execution in Spamassassin

debian lts
Calendar Grey November 13, 2018
Dist Debian Esm H88
Enhance the spamassassin implementation to address several security flaws that could result in Remote Code Execution and Denial of Service threats.
Multiple vulnerabilities were found in Spamassassin, which could lead to Remote Code Execution and Denial of Service attacks under certain circumstances

Summary

Many Perl programs do not properly remove . (period) characters
from the end of the includes directory array, which might allow
local users to gain privileges via a Trojan horse module under the
current working directory.

CVE-2017-15705

A denial of service vulnerability was identified that exists in
Apache SpamAssassin before 3.4.2. The vulnerability arises with
certain unclosed tags in emails that cause markup to be handled
incorrectly leading to scan timeouts. This can cause carefully
crafted emails that might take more scan time than expected
leading to a Denial of Service.

CVE-2018-11780

A potential Remote Code Execution bug exists with the PDFInfo
plugin in Apache SpamAssassin before 3.4.2.

CVE-2018-11781

Apache SpamAssassin 3.4.2 fixes a local user code injection in the
meta rule syntax.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.2-0+deb8u1. Upstream strongly advocates upgrading to the latest

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: spamassassin
Version: 3.4.2-0+deb8u1
CVE ID: CVE-2016-1238 CVE-2017-15705 CVE-2018-11780 CVE-2018-11781
Debian Bug: 784023 865924 883775 889501 891041 908969 908970 908971 913571

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.