Sicherheit: Ausführen beliebiger Kommandos in SpamAssassin

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4054079020529281134==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="3iyGprgl6Snajes2aQpWUq4dBG3V0Ifw3"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3iyGprgl6Snajes2aQpWUq4dBG3V0Ifw3
Content-Type: multipart/mixed;
boundary="6HGv3HpfQuK8krQUWChVwzLpm10uU4xaL";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
<ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <aee51577-9700-8419-bbc3-d3cfdd6701da@canonical.com>
Subject: [USN-4899-1] SpamAssassin vulnerability

--6HGv3HpfQuK8krQUWChVwzLpm10uU4xaL
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-4899-1
April 01, 2021

spamassassin vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

SpamAssassin could be made to run programs if it opened a specially crafted
file.

Software Description:
- spamassassin: Perl-based spam filter using text analysis

Details:

Damian Lukowski discovered that SpamAssassin incorrectly handled certain CF
files. If a user or automated system were tricked into using a specially-
crafted CF file, a remote attacker could possibly run arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
spamassassin 3.4.4-1ubuntu1.1

Ubuntu 18.04 LTS:
spamassassin 3.4.2-0ubuntu0.18.04.5

Ubuntu 16.04 LTS:
spamassassin 3.4.2-0ubuntu0.16.04.5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-4899-1
CVE-2020-1946

Package Information:
https://launchpad.net/ubuntu/+source/spamassassin/3.4.4-1ubuntu1.1
https://launchpad.net/ubuntu/+source/spamassassin/3.4.2-0ubuntu0.18.04.5
https://launchpad.net/ubuntu/+source/spamassassin/3.4.2-0ubuntu0.16.04.5

--6HGv3HpfQuK8krQUWChVwzLpm10uU4xaL--

--3iyGprgl6Snajes2aQpWUq4dBG3V0Ifw3
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmBlyggACgkQZWnYVadE
vpNf4hAAtg2jZkORvJJpHquwHAnCgfcqXQeCcMGhwK6e2UlnK08ze1N/1WFcOMMh
FfTCqeqBZKo5Dla5Y+vnJBAeloKwKIkMjnC6371hxH8jKRs9p6iCaI4NflIfOlTK
PIrDZaPLNBu78xucu/cHTtmQ2II12Ol1kgZUlGMebVENFRX1rEGAZ3eHYqMUNWVa
UlPRmz4BXlq6mRYiOEVvQRJ093kvgzEoHk/5gdKY+hX+7oRFnWoVG9Uqv7+vUPcn
GtccrXB1XOCEmnA7zGgSUeyoQF9bGJbU0gHBDRHusNKsdigJ7m1SgBEMVg/lJtmc
4h/v3JqTd3WZyG2xhzN/2ywmlZmaSHeQlV8IC4fikf412n/jA18ZJWdGNsFmgwRZ
qkcPjcIO+klXK+GAZrO1qSbPYVYSTNM78j7RjR5KFrOrzV3LabUeVtvL7xzN5cme
4Ch/UBL0AhyQe0DT6yi9J9poT/Y/e5tGzkKvkNNbSqIY5031eY2WPKWpu+JSfCzi
T/U0lXAfPv0pQFD1V+v77gIZfKIglFEbL4aVVy0v4PvnRy8XBWli1N3U3JACOvQE
rCgIjugw62O9/+UbrqK0+NWrKkXAwO+s/arCYf6Emr5Tk+urxEGmg3onlxCISZxR
Eu7BMnQeb1ejNcUpUUP8WSfP+uf0JomszkXoaE2FmGj15qzojPg=
=iwGB
-----END PGP SIGNATURE-----

--3iyGprgl6Snajes2aQpWUq4dBG3V0Ifw3--

--===============4054079020529281134==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============4054079020529281134==--