spamassassin-3.4.0-4.el7

エラータID: AXSA:2018-3356:01

Release date: 
Friday, October 12, 2018 - 00:43
Subject: 
spamassassin-3.4.0-4.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The SpamAssassin tool provides a way to reduce unsolicited commercial email (spam) from incoming email.

Security Fix(es):

* spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service (CVE-2017-15705)

* spamassassin: Local user code injection in the meta rule syntax (CVE-2018-11781)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2017-15705
A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.
CVE-2018-11781
Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. spamassassin-3.4.0-4.el7.src.rpm
    MD5: c72eb2e19daf421c496ab4086b3b37a5
    SHA-256: 44923862015b2530b65b601506ceac1ff4f8df3ec35e1fb0dd70b8a889c8276f
    Size: 1.30 MB

Asianux Server 7 for x86_64
  1. spamassassin-3.4.0-4.el7.x86_64.rpm
    MD5: dbdbcdedde5a48158b23cb66a7653f95
    SHA-256: e7431ac4ce9dc87f8bb6d98cb41bdc083e2fe838e9657c6d70a0641df6ae9a48
    Size: 1.17 MB