Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702594 (CVE-2018-11805, CVE-2019-12420) - <mail-filter/spamassassin-3.4.3: multiple vulnerabilities (CVE-{2018-11805,2019-12420})
Summary: <mail-filter/spamassassin-3.4.3: multiple vulnerabilities (CVE-{2018-11805,20...
Alias: CVE-2018-11805, CVE-2019-12420
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
: 705982 (view as bug list)
Depends on: CVE-2020-1930, CVE-2020-1931
  Show dependency tree
Reported: 2019-12-12 12:57 UTC by Benny Pedersen
Modified: 2020-04-26 02:21 UTC (History)
7 users (show)

See Also:
Package list:
mail-filter/spamassassin-3.4.3 dev-perl/BSD-Resource-1.291.100 arm arm64 hppa ppc ppc64
Runtime testing required: ---
nattka: sanity-check-


Note You need to log in before you can comment on or make changes to this bug.
Description Benny Pedersen 2019-12-12 12:57:56 UTC
configfiles can start embed scripting

Reproducible: Always

mail-filter/spamassassin-3.4.3 resolves it
Comment 1 Philippe Chaintreuil 2019-12-12 15:10:18 UTC
Added GitHub PR that bumps spamassassin to v3.4.3.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-20 11:47:10 UTC
The bug has been referenced in the following commit(s):

commit a2221369f2ed3c8b5fa155bcf9c2660669c3eaaf
Author:     Philippe Chaintreuil <>
AuthorDate: 2019-12-12 15:06:02 +0000
Commit:     Michael Orlitzky <>
CommitDate: 2019-12-20 11:45:39 +0000

    mail-filter/spamassassin: Bump to v3.4.3
     - Remove 3.4.2 patches that have been fixed by 3.4.3
     - Adjust SQL Update warning trigger as 3.4.3 has more schema changes
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Philippe Chaintreuil <>
    Signed-off-by: Michael Orlitzky <>

 mail-filter/spamassassin/Manifest                  |   1 +
 mail-filter/spamassassin/spamassassin-3.4.3.ebuild | 284 +++++++++++++++++++++
 2 files changed, 285 insertions(+)
Comment 3 Philippe Chaintreuil 2020-01-07 01:02:30 UTC
Ebuild's in, I think this is ready for stability testing.

Current stable ebuild is spamassassin-3.4.2-r2 which has "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86" as its stable arches, for reference.
Comment 4 Philippe Chaintreuil 2020-01-20 23:50:39 UTC
Submitted stabilization request bug:
Comment 5 Brian Evans (RETIRED) gentoo-dev 2020-01-22 14:09:49 UTC
*** Bug 705982 has been marked as a duplicate of this bug. ***
Comment 6 Agostino Sarubbo gentoo-dev 2020-01-23 09:43:32 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-01-23 10:36:27 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-01-23 10:41:11 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-01-23 10:52:25 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-01-23 10:56:22 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-01-23 12:18:54 UTC
x86 stable
Comment 12 Rolf Eike Beer archtester 2020-01-26 15:28:10 UTC
hppa stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-01-27 12:15:26 UTC
arm stable
Comment 14 Philippe Chaintreuil 2020-02-20 16:25:45 UTC
ping for arm64 stabilization.  (Also checking that it didn't fall through the cracks when vanilla arm got stabilized.)

You're the last major holdout.  (s390 is still outstanding, but I figure that's a small community.)
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-20 17:17:03 UTC
Superseded by bug 707816.
Comment 16 NATTkA bot gentoo-dev 2020-04-06 15:00:20 UTC
Unable to check for sanity:

> no match for package: mail-filter/spamassassin-3.4.3
Comment 17 NATTkA bot gentoo-dev 2020-04-12 19:23:53 UTC
Unable to check for sanity:

> dependent bug #707816 is missing keywords
Comment 18 NATTkA bot gentoo-dev 2020-04-13 14:40:45 UTC
Unable to check for sanity:

> no match for package: mail-filter/spamassassin-3.4.3
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 02:21:39 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].