spamassassin: CVE-2019-12420: specially crafted messages can exhaust system resources resulting in a denial of service

Debian Bug report logs - #946653
spamassassin: CVE-2019-12420: specially crafted messages can exhaust system resources resulting in a denial of service

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spamassassin: specially crafted messages can exhaust system resources resulting in a denial of service

Date: Thu, 12 Dec 2019 16:06:49 -0500

Package: spamassassin
Version: 3.4.2-1
Severity: grave
Tags: upstream fixed-upstream pending security

Per upstream's 3.4.3 release announcement:

Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where a message can be crafted in a way to use
excessive resources.  Upgrading to SA 3.4.3 as soon as possible is the
recommended fix but details will not be shared publicly. Thanks to Joran
Dirk Greef, Ronomon, Cape Town for reporting the issue.

This issue has been assigned CVE id CVE-2019-12420 [2]

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org.  For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420

Send a report that this bug log contains spam.