PublicDateAtUSN: 2020-01-30 18:15:00 UTC
Candidate: CVE-2020-1930
PublicDate: 2020-01-30 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930
 https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt
 https://www.openwall.com/lists/oss-security/2020/01/30/3
 https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648
 https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cannounce.apache.org%3E
 https://ubuntu.com/security/notices/USN-4265-1
 https://ubuntu.com/security/notices/USN-4265-2
Description:
 A command execution issue was found in Apache SpamAssassin prior to 3.4.3.
 Carefully crafted nefarious rule configuration (.cf) files can be
 configured to run system commands similar to CVE-2018-11805. With this bug
 unpatched, exploits can be injected in a number of scenarios including the
 same privileges as spamd is run which may be elevated though doing so
 remotely is difficult. In addition to upgrading to SA 3.4.4, we again
 recommend that users should only use update channels or 3rd party .cf files
 from trusted places. If you cannot upgrade, do not use 3rd party rulesets,
 do not use sa-compile and do not run spamd as an account with elevated
 privileges.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_spamassassin:
upstream_spamassassin: released (3.4.4~rc1-1)
precise/esm_spamassassin: released (3.4.2-0ubuntu0.12.04.4)
trusty_spamassassin: ignored (out of standard support)
trusty/esm_spamassassin: released (3.4.2-0ubuntu0.14.04.1+esm2)
xenial_spamassassin: released (3.4.2-0ubuntu0.16.04.3)
esm-infra/xenial_spamassassin: released (3.4.2-0ubuntu0.16.04.3)
bionic_spamassassin: released (3.4.2-0ubuntu0.18.04.3)
eoan_spamassassin: released (3.4.2-1ubuntu0.19.10.2)
devel_spamassassin: not-affected (3.4.4~rc1-1)