[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-announce
Subject:    [CVE-2020-1946] Apache SpamAssassin malicious rule configuration (.cf) files can be configured to ru
From:       Sidney Markowitz <sidney () apache ! org>
Date:       2021-03-24 16:08:23
Message-ID: 241c47dc-467f-c622-c8ab-e06df159b475 () apache ! org
[Download RAW message or body]

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security \
note where malicious rule configuration (.cf) files can be configured to run system \
commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of \
scenarios. In addition to upgrading to SA 3.4.5, users should only use update \
channels or 3rd party .cf files from trusted places.

Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically \
reporting this issue.

This issue has been assigned CVE id CVE-2020-1946 [2]

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the https://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[1]: https://s.apache.org/ng9u9

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946

-- 
Sidney Markowitz
Chair, Apache SpamAssassin PMC
sidney@apache.org


[prev in list] [next in list] [prev in thread] [next in thread]