Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2020-1930 CVE-2018-11805

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: "Kevin A. McGrail" &lt;kmcgrail () apache org&gt;

Date: Thu, 30 Jan 2020 00:18:13 -0500

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Apache SpamAssassin 3.4.4 was recently released [1], and fixes an issue
of security note where nefarious rule configuration (.cf) files can be
configured to run system commands similar to CVE-2018-11805.&nbsp; With this
bug unpatched, exploits can be injected in a number of scenarios
including the same privileges as spamd is run which may be elevated
though doing so remotely is difficult.&nbsp; In addition to upgrading to SA
3.4.4, we again recommend that users should only use update channels or
3rd party .cf files from trusted places.&nbsp; If you cannot upgrade, do not
use 3rd party rulesets, do not use sa-compile and do not run spamd as an
account with elevated privileges.

This issue has been assigned CVE id CVE-2020-1930 [2]

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org.&nbsp; For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1930

-- 

Kevin A. McGrail
KMcGrail () Apache org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands Kevin A. McGrail (Jan 30)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

Vulmon Search

About

Products

Connect