[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-announce
Subject: [CVE-2020-1946] Apache SpamAssassin malicious rule configuration (.cf) files can be configured to ru
From: Sidney Markowitz <sidney () apache ! org>
Date: 2021-03-24 16:08:23
Message-ID: 241c47dc-467f-c622-c8ab-e06df159b475 () apache ! org
[Download RAW message or body]
Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security \
note where malicious rule configuration (.cf) files can be configured to run system \
commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of \
scenarios. In addition to upgrading to SA 3.4.5, users should only use update \
channels or 3rd party .cf files from trusted places.
Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically \
reporting this issue.
This issue has been assigned CVE id CVE-2020-1946 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the https://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]: https://s.apache.org/ng9u9
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
--
Sidney Markowitz
Chair, Apache SpamAssassin PMC
sidney@apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic