diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2021-03-25 04:02:59 +0800 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2021-03-25 04:02:59 +0800 |
| commit | 8f5481b3a268bd866ce614471cd3fb29e336f6b4 (patch) | |
| tree | 9c2d9737108b476583d1ed0c0208799a80763feb /security/vuxml | |
| parent | ab1d4c39f480c69c625e38d6a0a5b06d06ee873a (diff) | |
| download | freebsd-ports-gnome-8f5481b3a268bd866ce614471cd3fb29e336f6b4.tar.gz freebsd-ports-gnome-8f5481b3a268bd866ce614471cd3fb29e336f6b4.tar.zst freebsd-ports-gnome-8f5481b3a268bd866ce614471cd3fb29e336f6b4.zip | |
security/vuxml: Document spamassassin CVE-2020-1946
PR: 254526
Security: https://s.apache.org/ng9u9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 74231aa879f6..2656f09a04b5 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -78,6 +78,40 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="ec04f3d0-8cd9-11eb-bb9f-206a8a720317"> + <topic>spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands</topic> + <affects> + <package> + <name>spamassassin</name> + <range><lt>3.4.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Apache SpamAssassin project reports:</p> + <blockquote cite="https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E"> + <p>Apache SpamAssassin 3.4.5 was recently released [1], and fixes + an issue of security note where malicious rule configuration (.cf) + files can be configured to run system commands.</p> + <p>In Apache SpamAssassin before 3.4.5, exploits can be injected in + a number of scenarios. In addition to upgrading to SA 3.4.5, + users should only use update channels or 3rd party .cf files from + trusted places.</p> + </blockquote> + </body> + </description> + <references> + <url>https://spamassassin.apache.org/news.html</url> + <url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E</url> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946</url> + <cvename>CVE-2020-1946</cvename> + </references> + <dates> + <discovery>2021-03-24</discovery> + <entry>2020-03-24</entry> + </dates> + </vuln> + <vuln vid="c4d2f950-8c27-11eb-a3ae-0800278d94f0"> <topic>gitea -- multiple vulnerabilities</topic> <affects> |