Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 702594 (CVE-2018-11805, CVE-2019-12420)

Summary: <mail-filter/spamassassin-3.4.3: multiple vulnerabilities (CVE-{2018-11805,2019-12420})
Product: Gentoo Security Reporter: Benny Pedersen <me>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bug, gentoo_bugs_peep, hanno, hydrapolic, maracay, mjo, proxy-maint
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: All   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805
See Also: https://github.com/gentoo/gentoo/pull/13955
Whiteboard: B3 [noglsa cve]
Package list:
mail-filter/spamassassin-3.4.3 dev-perl/BSD-Resource-1.291.100 arm arm64 hppa ppc ppc64
Runtime testing required: ---
Bug Depends on: 707816    
Bug Blocks:    

Description Benny Pedersen 2019-12-12 12:57:56 UTC
configfiles can start embed scripting

Reproducible: Always




mail-filter/spamassassin-3.4.3 resolves it
Comment 1 Philippe Chaintreuil 2019-12-12 15:10:18 UTC
Added GitHub PR that bumps spamassassin to v3.4.3.

https://github.com/gentoo/gentoo/pull/13955
Comment 2 Larry the Git Cow gentoo-dev 2019-12-20 11:47:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2221369f2ed3c8b5fa155bcf9c2660669c3eaaf

commit a2221369f2ed3c8b5fa155bcf9c2660669c3eaaf
Author:     Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
AuthorDate: 2019-12-12 15:06:02 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-12-20 11:45:39 +0000

    mail-filter/spamassassin: Bump to v3.4.3
    
     - Remove 3.4.2 patches that have been fixed by 3.4.3
     - Adjust SQL Update warning trigger as 3.4.3 has more schema changes
    
    Bug: https://bugs.gentoo.org/702594
    Closes: https://github.com/gentoo/gentoo/pull/13955
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 mail-filter/spamassassin/Manifest                  |   1 +
 mail-filter/spamassassin/spamassassin-3.4.3.ebuild | 284 +++++++++++++++++++++
 2 files changed, 285 insertions(+)
Comment 3 Philippe Chaintreuil 2020-01-07 01:02:30 UTC
Ebuild's in, I think this is ready for stability testing.

Current stable ebuild is spamassassin-3.4.2-r2 which has "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86" as its stable arches, for reference.
Comment 4 Philippe Chaintreuil 2020-01-20 23:50:39 UTC
Submitted stabilization request bug: https://bugs.gentoo.org/705982
Comment 5 Brian Evans (RETIRED) gentoo-dev 2020-01-22 14:09:49 UTC
*** Bug 705982 has been marked as a duplicate of this bug. ***
Comment 6 Agostino Sarubbo gentoo-dev 2020-01-23 09:43:32 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-01-23 10:36:27 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-01-23 10:41:11 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-01-23 10:52:25 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-01-23 10:56:22 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-01-23 12:18:54 UTC
x86 stable
Comment 12 Rolf Eike Beer archtester 2020-01-26 15:28:10 UTC
hppa stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-01-27 12:15:26 UTC
arm stable
Comment 14 Philippe Chaintreuil 2020-02-20 16:25:45 UTC
ping for arm64 stabilization.  (Also checking that it didn't fall through the cracks when vanilla arm got stabilized.)

You're the last major holdout.  (s390 is still outstanding, but I figure that's a small community.)
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-20 17:17:03 UTC
Superseded by bug 707816.
Comment 16 NATTkA bot gentoo-dev 2020-04-06 15:00:20 UTC
Unable to check for sanity:

> no match for package: mail-filter/spamassassin-3.4.3
Comment 17 NATTkA bot gentoo-dev 2020-04-12 19:23:53 UTC
Unable to check for sanity:

> dependent bug #707816 is missing keywords
Comment 18 NATTkA bot gentoo-dev 2020-04-13 14:40:45 UTC
Unable to check for sanity:

> no match for package: mail-filter/spamassassin-3.4.3
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 02:21:39 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].