CVE-2019-19920 in Ubuntu

CVE-2019-19920

Priority

Description

sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write
a .cf file or a rule. This occurs because Greylisting.pm relies on eval
(rather than direct parsing and/or use of the taint feature). This issue is
similar to CVE-2018-11805.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19920
https://bugs.debian.org/946829#24
https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
https://marc.info/?l=spamassassin-users&m=157668305026635&w=2
https://ubuntu.com/security/notices/USN-4520-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947198
https://bugs.launchpad.net/ubuntu/+source/sa-exim/+bug/1856873

Notes

Package

Source: sa-exim (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needs-triage
Ubuntu 20.04 LTS:	not-affected (4.2.1-19)
Ubuntu 21.10:	not-affected (4.2.1-19)
Ubuntu 22.04 LTS:	not-affected (4.2.1-19)
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Updated: 2022-04-25 00:38:19 UTC (commit ecc1009cb19540b950de59270950018900f37f15)