PublicDateAtUSN: 2019-12-22 18:15:00 UTC
Candidate: CVE-2019-19920
PublicDate: 2019-12-22 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19920
 https://bugs.debian.org/946829#24
 https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
 https://marc.info/?l=spamassassin-users&m=157668305026635&w=2
 https://ubuntu.com/security/notices/USN-4520-1
Description:
 sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write
 a .cf file or a rule. This occurs because Greylisting.pm relies on eval
 (rather than direct parsing and/or use of the taint feature). This issue is
 similar to CVE-2018-11805.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947198
 https://bugs.launchpad.net/ubuntu/+source/sa-exim/+bug/1856873
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_sa-exim:
upstream_sa-exim: needs-triage
precise/esm_sa-exim: DNE
trusty_sa-exim: ignored (out of standard support)
trusty/esm_sa-exim: DNE
xenial_sa-exim: released (4.2.1-14+deb8u1build0.16.04.1)
bionic_sa-exim: needs-triage
disco_sa-exim: ignored (reached end-of-life)
eoan_sa-exim: ignored (reached end-of-life)
focal_sa-exim: not-affected (4.2.1-19)
groovy_sa-exim: not-affected (4.2.1-19)
hirsute_sa-exim: not-affected (4.2.1-19)
impish_sa-exim: not-affected (4.2.1-19)
jammy_sa-exim: not-affected (4.2.1-19)
devel_sa-exim: not-affected (4.2.1-19)