Fedora 29: 2018-8f0df2c366 Critical: SpamAssassin RCE and DoS Fixes

SpamAssassin provides you with a way to reduce if not completely eliminate

Unsolicited Commercial Email (SPAM) from your incoming email. It can

be invoked by a MDA such as sendmail or postfix, or can be called from

a procmail script, .forward file, etc. It uses a genetic-algorithm

evolved scoring system to identify messages which look spammy, then

adds headers to the message so they can be filtered by the user''s mail

reading software. This distribution includes the spamd/spamc components

which create a server that considerably speeds processing of mail.

To enable spamassassin, if you are receiving mail locally, simply add

this line to your ~/.procmailrc:

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

To filter spam for all users, add that line to /etc/procmailrc

(creating if necessary).

Fixed some small bugs in the previous package: Initial rules now have the

correct version, sought channel config is dropped (since it doesn''t exist

anymore) and build / runtime deps adjusted. ---- Update to 3.4.2. Fixes

CVE-2017-15705, CVE-2018-11780 and CVE-2018-11781 along with many other bugfixes

and improvements. See https://www.mail-archive.com/announce@apache.org/msg04823.html for more information.

[ 1 ] Bug #1629537 - CVE-2018-11781 spamassassin: Local user code injection in the meta rule syntax [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1629537

[ 2 ] Bug #1629534 - CVE-2018-11780 spamassassin: Potential remote code execution vulnerability in PDFInfo plugin [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1629534

[ 3 ] Bug #1629522 - CVE-2017-15705 spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and resulting denial of service [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1629522

[ 4 ] Bug #1629491 - SpamAssassin 3.4.2 released with CVE disclosure

https://bugzilla.redhat.com/show_bug.cgi?id=1629491

[ 5 ] Bug #1590592 - Need spamassassin release with patch for bug 7208 included

https://bugzilla.redhat.com/show_bug.cgi?id=1590592

su -c ''dnf upgrade --advisory FEDORA-2018-8f0df2c366'' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/