You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Kevin A. McGrail" <km...@apache.org> on 2018/09/16 15:03:50 UTC
[ANNOUNCE] Apache SpamAssassin 3.4.2 available
Good Morning,
On behalf of the Apache SpamAssassin Project Management Committee, I am
very pleased to announce the release of Apache SpamAssassin v3.4.2.
This release contains security bug fixes. A security announcement will
follow within the next 24 hours.
Apache SpamAssassin can be downloaded from
https://spamassassin.apache.org/downloads.cgi and via cpan
(Mail::SpamAssassin).
Our project website is https://spamassassin.apache.org/
Our DOAP is available at https://spamassassin.apache.org/doap.rdf
Questions? Please post on our Users mailing list. More information on
joining our mailing lists is available at
https://wiki.apache.org/spamassassin/MailingLists
-KAM
Release Notes -- Apache SpamAssassin -- Version 3.4.2
Introduction
------------
Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the
past three and 1/2 years. As we release 3.4.2, we are preparing 4.0.0
which
will move us into a full UTF-8 environment. We expect one final 3.4.3
release.
As with any release there are a number of functional patches,
improvements as
well as security reasons to upgrade to 3.4.2. In this case we have over 3
years of issues being resolved at once. And we are laying thr
groundwork for
version 4.0 which is is designed to more natively handle UTF-8.
However, there is one specific pressing reason to upgrade.
Specifically, we
will stop producing SHA-1 signatures for rule updates. This means that
while
we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update.
*** If you do not update to 3.4.2, you will be stuck at the last ruleset
with SHA-1 signatures in the near future. ***
Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.
Thanks to David Jones for stepping up and helping us found our SpamAssassin
SysAdmin's group.
And thanks to cPanel for helping making this release possible and
contributing
to the continued development of SpamAssassin. Please visit
support.cpanel.net
with any issues involving cPanel & WHM's integration with SpamAssassin.
Notable features:
=================
New plugins
-----------
There are four new plugins added with this release:
Mail::SpamAssassin::Plugin::HashBL
The HashBL plugin is the interface to The Email Blocklist (EBL).
The EBL is intended to filter spam that is sent from IP addresses
and domains that cannot be blocked without causing significant
numbers of false positives.
Mail::SpamAssassin::Plugin::ResourceLimits
This plugin leverages BSD::Resource to assure your spamd child processes
do not exceed specified CPU or memory limit. If this happens, the child
process will die. See the BSD::Resource for more details.
Mail::SpamAssassin::Plugin::FromNameSpoof
This plugin allows for detection of the From:name field being used to
mislead
recipients into thinking an email is from another address. The man page
includes examples and we expect to put test rules for this plugin into
rulesrc soon!
Mail::SpamAssassin::Plugin::Phishing
This plugin finds uris used in phishing campaigns detected by
OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com)
feeds.
These plugins are disabled by default. To enable, uncomment
the loadplugin configuration options in file v342.pre, or add it to
some local .pre file such as local.pre .
Notable changes
---------------
For security reasons SSLv3 support has been removed from spamc(1).
The spamd(1) daemon now is faster to start, thanks to code optimizations.
Four CVE security bug fixes are included in this release for PDFInfo.pm and
the SA core:
CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
In sa-update script, optional support for SHA-256 / SHA-512 in addition
to or instead of SHA1 has been added for better validation of rules.
See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for information
on the end of SHA-1 signatures which will be the end of rule updates for
releases prior to 3.4.2.
Security updates include security improvements for TxRep, tmp file creation
was hardened, the group list and setuid is hardened for spamd workers,
eval tests have been hardened (Thanks to the cPanel Security Team!),
a bug in earlier Perl versions that caused URIs to be skipped has been
identified, and UTF-16 support is improved.
GeoIP2 support has been added to RelayCountry and URILocalBL plugins due
to GeoIP legacy API deprecations.
New configuration options
-------------------------
A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the
's' tag)
from valid signatures has been added.
A 'uri_block_cont' option to URILocalBL plugin to score uris per
continent has been added.
Possible continent codes are:
af, as, eu, na, oc, sa for Africa, Asia, Europe, North America,
Oceania and South America.
The 'country_db_type' and 'country_db_path' options has been added to be
able
to choose in RelayCountry plugin between GeoIP legacy
(discontinued from 04/01/2018), GeoIP2, IP::Country::Fast
and IP::Country::DB_File.
GeoIP legacy is still the default option but it will be deprecated
in future releases.
A config option 'uri_country_db_path' has been added to be able to choose
in URILocalBL plugin between GeoIP legacy and new GeoIP2 api.
A config option 'resource_limit_cpu' (default: 0 or no limit) has been added
to configure how many cpu cycles are allowed on a child process before
it dies.
A config option 'resource_limit_mem' (default: 0 or no limit) has been added
to configure the maximum number of bytes of memory allowed both for
(virtual) address space bytes and resident set size.
A new config option 'report_wrap_width' (default: 70) has been added
to set the wrap width for description lines in the X-Spam-Report header.
Notable Internal changes
------------------------
SpamAssassin can cope with new Net::DNS module versions.
The "bytes" pragma has been remove from both core modules and plugins for
better utf-8 compatibility, there has been also some other utf-8 related
fixes.
The spamc(1) client can now be build against OpenSSL 1.1.0.
The test framework has been switched to Test::More module.
Other updates
-------------
Documentation was updated or enhanced. Project's testing and evaluation
hosts and tools running on the ASF infrastructure were updated.
A list of top-level domains in registrar boundaries was updated.
Optimizations
-------------
Faster startup of the SpamAssassin daemon.
Spamc client now correctly free(3) all the memory it uses.
Downloading and availability
----------------------------
Downloads are available from:
https://spamassassin.apache.org/downloads.cgi
sha256sum of archive files:
cf03045a4991752145eed007e75737f3e4c7f34cf225db411ce3fd359280e8da
Mail-SpamAssassin-3.4.2.tar.bz2
8a1c139ee08f140d3d3fdf13e03d98cf68a5cae27a082c4a614d154565a3c34f
Mail-SpamAssassin-3.4.2.tar.gz
c76841929fa53cf0adeb924797195c66da207ab6739553fd62634f94f2dcd875
Mail-SpamAssassin-3.4.2.zip
8d481a2081f1e62a2579238f66b58d2124f7a2e9f3cfa3d4aa2b03fe7b0199bb
Mail-SpamAssassin-rules-3.4.2.r1840640.tgz
sha512sum of archive files:
fe3d9d1d7b9fed3063549afd071066729f1f4d998be91ded1e5afc29bb37c7a298dc5f8f99a282b75435d317b5b5072a81393134ccfe059a73d953e26a9c3885
Mail-SpamAssassin-3.4.2.tar.bz2
85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f
Mail-SpamAssassin-3.4.2.tar.gz
9545c1cd55c31f23ba8f8421f78306657a068004a27cab8cd094eb9bc7c8d94cdb4803089318f2c0cefb9b817fa3f1cfb7cb817913027c0c93b5d639937ee05c
Mail-SpamAssassin-3.4.2.zip
38b5f4dc6e6776937e787123c265ecd9a0a2f60aca1b57d6ed4a8f78cf81550478eddd0829b1255e9e8ce64421e06cc13ae82f1a597e893b65f0d07ba8c53a7f
Mail-SpamAssassin-rules-3.4.2.r1840640.tgz
Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.
See the INSTALL and UPGRADE files in the distribution for important
installation notes.
GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them. The file serves
as an external GPG signature for the given release file. The signing
key is available via the wwwkeys.pgp.net key server, as well as
https://www.apache.org/dist/spamassassin/KEYS
The key information is:
pub 4096R/F7D39814 2009-12-02
Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
uid SpamAssassin Project Management Committee
<pr...@spamassassin.apache.org>
uid SpamAssassin Signing Key (Code Signing Key,
replacement for 1024D/265FA05B) <de...@spamassassin.apache.org>
sub 4096R/7B3265A5 2009-12-02
To verify a release file, download the file with the accompanying .asc
file and run the following commands:
gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc
gpg --fingerprint F7D39814
Then verify that the key matches the signature.
Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.
See https://www.apache.org/info/verification.html for more information
on verifying Apache releases.
About Apache SpamAssassin
-------------------------
Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.
Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.
Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.
The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.
For more information, visit https://spamassassin.apache.org/
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.
For more information, visit https://www.apache.org/
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On 9/16/2018 5:44 PM, Kevin A. McGrail wrote:
> Thanks for the post. The bug is way out of line though.
Earlier bug that should probably be the one tracked:
https://bugzilla.redhat.com/show_bug.cgi?id=1629474
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Reindl,
I question whether I should bother rewarding your bad behavior and again
ask.you if you find your negative attitude gets you where you want to be in
life? But for others, here are the facts and the policy.
"we see that you mentioned these CVE names public at
https://lists.apache.org/thread.html/a3dc4c9d2a942d550e834df8f423eedeb042fdb69f4a83df26f1446b@%3Cdev.spamassassin.apache.org%3E
Once names are mentioned in public it starts a clock and we usually have 24
hours to send the information to Mitre, see process at
https://apache.org/security/committers.html"
That was 4 days ago and we worked the process with ethical disclosures and
attention to good security hygiene.
Spend your energy elsewhere as I dnftec.
On Sun, Sep 16, 2018, 22:26 Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 17.09.18 um 02:44 schrieb Kevin A. McGrail:
> > Thanks for the post. The bug is way out of line though.
> >
> > We posted release candidate 1 on the 12th noting the 4 CVE issues
> > coming. I also backchanneled with RH as a heads up. We do have a
> brain...
>
> no you don't or why is the httpd project capable to bring CVE details a
> few days *after* release anncouncement (besides that they manage
> regulary releases at all)
>
> what you do with that way of announcemnt is trigger pressure for no good
> reason
>
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Thanks for the post. The bug is way out of line though.
We posted release candidate 1 on the 12th noting the 4 CVE issues coming.
I also backchanneled with RH as a heads up. We do have a brain...
I have 3.4.2 installed on centos 7 and it was drop-in other than the redhat
specific paths, systemd, config locations, etc.
Hopefully they will push the new version. A backport is not going to be
easy.
On Sun, Sep 16, 2018, 19:34 Kenneth Porter <sh...@sewingwitch.com> wrote:
> Here's the Red Hat Bugzilla bug requesting a new package for Fedora/RHEL
> be issued ASAP:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1629491
>
> Once the official package drops, you should be able to download the SRPM
> here:
>
>
> https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/SRPMS/Packages/s/
>
> The 3.4.1 package is there as I type this, and I see it has a lot of
> patches marked 3.4.1. So it's probably not as easy as just dropping the
> 3.4.2 tarball into it.
>
>
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by Kenneth Porter <sh...@sewingwitch.com>.
Here's the Red Hat Bugzilla bug requesting a new package for Fedora/RHEL
be issued ASAP:
https://bugzilla.redhat.com/show_bug.cgi?id=1629491
Once the official package drops, you should be able to download the SRPM
here:
https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/SRPMS/Packages/s/
The 3.4.1 package is there as I type this, and I see it has a lot of
patches marked 3.4.1. So it's probably not as easy as just dropping the
3.4.2 tarball into it.
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Per the asf security team, mitre considers the public rc1 from a few days
ago as the start of the clock for the publishing so we were already way
past the 24 hour windiw.
Hopefully, the announcements and reports are obfuscated and bugzilla ia
private so it'll be contained.
On Sun, Sep 16, 2018, 16:59 Reindl Harald <h....@thelounge.net> wrote:
> i doubt that it is wiese to blwo out security notes *that short* after
> release and *that long* after the last release
>
> Am 16.09.18 um 18:59 schrieb Kevin A. McGrail:
> > Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
> > issues of security note.
> >
> > First, a denial of service vulnerability that exists in all modern
> versions.
> >
> > The vulnerability arises with certain unclosed tags in emails that cause
> > markup to be handled incorrectly leading to scan timeouts.
> >
> > In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
> > into the begin and end tag event handlers In both cases, the "open"
> > event is immediately followed by a "close" event - even if the tag *does
> > not* close in the HTML being parsed.
> >
> > Because of this, we are missing the "text" event to deal with the object
> > normally. This can cause carefully crafted emails that might take more
> > scan time than expected leading to a Denial of Service.
> >
> > The issue is possibly a bug or design decision in HTML::Parser that
> > specifically impacts the way Apache SpamAssassin uses the module with
> > poorly formed html.
> >
> > The exploit has been seen in the wild but not believe to have been
> > purposefully part of a Denial of Service attempt. We are concerned that
> > there may be attempts to abuse the vulnerability in the future.
> > Therefore, we strongly recommend all users of these versions upgrade to
> > Apache SpamAssassin 3.4.2 as soon as possible.
> >
> > This issue has been assigned CVE id CVE-2017-15705 [2].
> >
> >
> > Second, this release also fixes a reliance on "." in @INC in one
> > configuration script. Whether this can be exploited in any way is
> > uncertain.
> >
> > This issue has been assigned CVE id CVE-2016-1238 [3].
> >
> >
> > Third, this release fixes a potential Remote Code Execution bug with the
> > PDFInfo plugin. Thanks to cPanel Security Team for their report of this
> > issue.
> >
> > This issue has been assigned CVE id CVE-2018-11780 [4].
> >
> >
> > Fourth, this release fixes a local user code injection in the meta rule
> > syntax. Thanks again to cPanel Security Team for their report of this
> issue.
> >
> > This issue has been assigned CVE id CVE-2018-11781 [5].
> >
> >
> > To contact the Apache SpamAssassin security team, please e-mail
> > security at spamassassin.apache.org. For more information about Apache
> > SpamAssassin, visit the http://spamassassin.apache.org/ web site.
> >
> > Apache SpamAssassin Security Team
> >
> > [1]:
> >
> https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
> >
> > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
> >
> > [3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
> >
> > [4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
> >
> > [5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
>
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Per the asf security team, mitre considers the public rc1 from a few days
ago as the start of the clock for the publishing so we were already way
past the 24 hour windiw.
Hopefully, the announcements and reports are obfuscated and bugzilla ia
private so it'll be contained.
On Sun, Sep 16, 2018, 16:59 Reindl Harald <h....@thelounge.net> wrote:
> i doubt that it is wiese to blwo out security notes *that short* after
> release and *that long* after the last release
>
> Am 16.09.18 um 18:59 schrieb Kevin A. McGrail:
> > Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
> > issues of security note.
> >
> > First, a denial of service vulnerability that exists in all modern
> versions.
> >
> > The vulnerability arises with certain unclosed tags in emails that cause
> > markup to be handled incorrectly leading to scan timeouts.
> >
> > In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
> > into the begin and end tag event handlers In both cases, the "open"
> > event is immediately followed by a "close" event - even if the tag *does
> > not* close in the HTML being parsed.
> >
> > Because of this, we are missing the "text" event to deal with the object
> > normally. This can cause carefully crafted emails that might take more
> > scan time than expected leading to a Denial of Service.
> >
> > The issue is possibly a bug or design decision in HTML::Parser that
> > specifically impacts the way Apache SpamAssassin uses the module with
> > poorly formed html.
> >
> > The exploit has been seen in the wild but not believe to have been
> > purposefully part of a Denial of Service attempt. We are concerned that
> > there may be attempts to abuse the vulnerability in the future.
> > Therefore, we strongly recommend all users of these versions upgrade to
> > Apache SpamAssassin 3.4.2 as soon as possible.
> >
> > This issue has been assigned CVE id CVE-2017-15705 [2].
> >
> >
> > Second, this release also fixes a reliance on "." in @INC in one
> > configuration script. Whether this can be exploited in any way is
> > uncertain.
> >
> > This issue has been assigned CVE id CVE-2016-1238 [3].
> >
> >
> > Third, this release fixes a potential Remote Code Execution bug with the
> > PDFInfo plugin. Thanks to cPanel Security Team for their report of this
> > issue.
> >
> > This issue has been assigned CVE id CVE-2018-11780 [4].
> >
> >
> > Fourth, this release fixes a local user code injection in the meta rule
> > syntax. Thanks again to cPanel Security Team for their report of this
> issue.
> >
> > This issue has been assigned CVE id CVE-2018-11781 [5].
> >
> >
> > To contact the Apache SpamAssassin security team, please e-mail
> > security at spamassassin.apache.org. For more information about Apache
> > SpamAssassin, visit the http://spamassassin.apache.org/ web site.
> >
> > Apache SpamAssassin Security Team
> >
> > [1]:
> >
> https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
> >
> > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
> >
> > [3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
> >
> > [4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
> >
> > [5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
>
Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Per the asf security team, mitre considers the public rc1 from a few days
ago as the start of the clock for the publishing so we were already way
past the 24 hour windiw.
Hopefully, the announcements and reports are obfuscated and bugzilla ia
private so it'll be contained.
On Sun, Sep 16, 2018, 16:59 Reindl Harald <h....@thelounge.net> wrote:
> i doubt that it is wiese to blwo out security notes *that short* after
> release and *that long* after the last release
>
> Am 16.09.18 um 18:59 schrieb Kevin A. McGrail:
> > Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
> > issues of security note.
> >
> > First, a denial of service vulnerability that exists in all modern
> versions.
> >
> > The vulnerability arises with certain unclosed tags in emails that cause
> > markup to be handled incorrectly leading to scan timeouts.
> >
> > In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
> > into the begin and end tag event handlers In both cases, the "open"
> > event is immediately followed by a "close" event - even if the tag *does
> > not* close in the HTML being parsed.
> >
> > Because of this, we are missing the "text" event to deal with the object
> > normally. This can cause carefully crafted emails that might take more
> > scan time than expected leading to a Denial of Service.
> >
> > The issue is possibly a bug or design decision in HTML::Parser that
> > specifically impacts the way Apache SpamAssassin uses the module with
> > poorly formed html.
> >
> > The exploit has been seen in the wild but not believe to have been
> > purposefully part of a Denial of Service attempt. We are concerned that
> > there may be attempts to abuse the vulnerability in the future.
> > Therefore, we strongly recommend all users of these versions upgrade to
> > Apache SpamAssassin 3.4.2 as soon as possible.
> >
> > This issue has been assigned CVE id CVE-2017-15705 [2].
> >
> >
> > Second, this release also fixes a reliance on "." in @INC in one
> > configuration script. Whether this can be exploited in any way is
> > uncertain.
> >
> > This issue has been assigned CVE id CVE-2016-1238 [3].
> >
> >
> > Third, this release fixes a potential Remote Code Execution bug with the
> > PDFInfo plugin. Thanks to cPanel Security Team for their report of this
> > issue.
> >
> > This issue has been assigned CVE id CVE-2018-11780 [4].
> >
> >
> > Fourth, this release fixes a local user code injection in the meta rule
> > syntax. Thanks again to cPanel Security Team for their report of this
> issue.
> >
> > This issue has been assigned CVE id CVE-2018-11781 [5].
> >
> >
> > To contact the Apache SpamAssassin security team, please e-mail
> > security at spamassassin.apache.org. For more information about Apache
> > SpamAssassin, visit the http://spamassassin.apache.org/ web site.
> >
> > Apache SpamAssassin Security Team
> >
> > [1]:
> >
> https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
> >
> > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
> >
> > [3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
> >
> > [4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
> >
> > [5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
>
[SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
issues of security note.
First, a denial of service vulnerability that exists in all modern versions.
The vulnerability arises with certain unclosed tags in emails that cause
markup to be handled incorrectly leading to scan timeouts.
In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
into the begin and end tag event handlers In both cases, the "open"
event is immediately followed by a "close" event - even if the tag *does
not* close in the HTML being parsed.
Because of this, we are missing the "text" event to deal with the object
normally. This can cause carefully crafted emails that might take more
scan time than expected leading to a Denial of Service.
The issue is possibly a bug or design decision in HTML::Parser that
specifically impacts the way Apache SpamAssassin uses the module with
poorly formed html.
The exploit has been seen in the wild but not believe to have been
purposefully part of a Denial of Service attempt. We are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.4.2 as soon as possible.
This issue has been assigned CVE id CVE-2017-15705 [2].
Second, this release also fixes a reliance on "." in @INC in one
configuration script. Whether this can be exploited in any way is
uncertain.
This issue has been assigned CVE id CVE-2016-1238 [3].
Third, this release fixes a potential Remote Code Execution bug with the
PDFInfo plugin. Thanks to cPanel Security Team for their report of this
issue.
This issue has been assigned CVE id CVE-2018-11780 [4].
Fourth, this release fixes a local user code injection in the meta rule
syntax. Thanks again to cPanel Security Team for their report of this issue.
This issue has been assigned CVE id CVE-2018-11781 [5].
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Ricky Gutierrez <xs...@gmail.com>.
Thank you for gr8 software.
El El dom, sep. 16, 2018 a las 9:03 a. m., Kevin A. McGrail <
kmcgrail@apache.org> escribió:
> Good Morning,
>
> On behalf of the Apache SpamAssassin Project Management Committee, I am
> very pleased to announce the release of Apache SpamAssassin v3.4.2.
> This release contains security bug fixes. A security announcement will
> follow within the next 24 hours.
>
> Apache SpamAssassin can be downloaded from
> https://spamassassin.apache.org/downloads.cgi and via cpan
> (Mail::SpamAssassin).
>
> Our project website is https://spamassassin.apache.org/
>
> Our DOAP is available at https://spamassassin.apache.org/doap.rdf
>
> Questions? Please post on our Users mailing list. More information on
> joining our mailing lists is available at
> https://wiki.apache.org/spamassassin/MailingLists
>
> -KAM
>
>
> Release Notes -- Apache SpamAssassin -- Version 3.4.2
>
> Introduction
> ------------
>
> Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the
> past three and 1/2 years. As we release 3.4.2, we are preparing 4.0.0
> which
> will move us into a full UTF-8 environment. We expect one final 3.4.3
> release.
>
> As with any release there are a number of functional patches,
> improvements as
> well as security reasons to upgrade to 3.4.2. In this case we have over 3
> years of issues being resolved at once. And we are laying thr
> groundwork for
> version 4.0 which is is designed to more natively handle UTF-8.
>
> However, there is one specific pressing reason to upgrade.
> Specifically, we
> will stop producing SHA-1 signatures for rule updates. This means that
> while
> we produce rule updates with the focus on them working for any release from
> v3.3.2 forward, they will start failing SHA-1 validation for sa-update.
>
> *** If you do not update to 3.4.2, you will be stuck at the last ruleset
> with SHA-1 signatures in the near future. ***
>
> Many thanks to the committers, contributors, rule testers, mass checkers,
> and code testers who have made this release possible.
>
> Thanks to David Jones for stepping up and helping us found our SpamAssassin
> SysAdmin's group.
>
> And thanks to cPanel for helping making this release possible and
> contributing
> to the continued development of SpamAssassin. Please visit
> support.cpanel.net
> with any issues involving cPanel & WHM's integration with SpamAssassin.
>
> Notable features:
> =================
>
> New plugins
> -----------
> There are four new plugins added with this release:
>
> Mail::SpamAssassin::Plugin::HashBL
>
> The HashBL plugin is the interface to The Email Blocklist (EBL).
> The EBL is intended to filter spam that is sent from IP addresses
> and domains that cannot be blocked without causing significant
> numbers of false positives.
>
> Mail::SpamAssassin::Plugin::ResourceLimits
>
> This plugin leverages BSD::Resource to assure your spamd child processes
> do not exceed specified CPU or memory limit. If this happens, the child
> process will die. See the BSD::Resource for more details.
>
> Mail::SpamAssassin::Plugin::FromNameSpoof
>
> This plugin allows for detection of the From:name field being used to
> mislead
> recipients into thinking an email is from another address. The man page
> includes examples and we expect to put test rules for this plugin into
> rulesrc soon!
>
> Mail::SpamAssassin::Plugin::Phishing
>
> This plugin finds uris used in phishing campaigns detected by
> OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com)
> feeds.
>
> These plugins are disabled by default. To enable, uncomment
> the loadplugin configuration options in file v342.pre, or add it to
> some local .pre file such as local.pre .
>
> Notable changes
> ---------------
>
> For security reasons SSLv3 support has been removed from spamc(1).
>
> The spamd(1) daemon now is faster to start, thanks to code optimizations.
>
> Four CVE security bug fixes are included in this release for PDFInfo.pm and
> the SA core:
> CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
>
> In sa-update script, optional support for SHA-256 / SHA-512 in addition
> to or instead of SHA1 has been added for better validation of rules.
> See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for
> information
> on the end of SHA-1 signatures which will be the end of rule updates for
> releases prior to 3.4.2.
>
> Security updates include security improvements for TxRep, tmp file creation
> was hardened, the group list and setuid is hardened for spamd workers,
> eval tests have been hardened (Thanks to the cPanel Security Team!),
> a bug in earlier Perl versions that caused URIs to be skipped has been
> identified, and UTF-16 support is improved.
>
> GeoIP2 support has been added to RelayCountry and URILocalBL plugins due
> to GeoIP legacy API deprecations.
>
> New configuration options
> -------------------------
>
> A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the
> 's' tag)
> from valid signatures has been added.
>
> A 'uri_block_cont' option to URILocalBL plugin to score uris per
> continent has been added.
> Possible continent codes are:
> af, as, eu, na, oc, sa for Africa, Asia, Europe, North America,
> Oceania and South America.
>
> The 'country_db_type' and 'country_db_path' options has been added to be
> able
> to choose in RelayCountry plugin between GeoIP legacy
> (discontinued from 04/01/2018), GeoIP2, IP::Country::Fast
> and IP::Country::DB_File.
> GeoIP legacy is still the default option but it will be deprecated
> in future releases.
>
> A config option 'uri_country_db_path' has been added to be able to choose
> in URILocalBL plugin between GeoIP legacy and new GeoIP2 api.
>
> A config option 'resource_limit_cpu' (default: 0 or no limit) has been
> added
> to configure how many cpu cycles are allowed on a child process before
> it dies.
>
> A config option 'resource_limit_mem' (default: 0 or no limit) has been
> added
> to configure the maximum number of bytes of memory allowed both for
> (virtual) address space bytes and resident set size.
>
> A new config option 'report_wrap_width' (default: 70) has been added
> to set the wrap width for description lines in the X-Spam-Report header.
>
> Notable Internal changes
> ------------------------
>
> SpamAssassin can cope with new Net::DNS module versions.
> The "bytes" pragma has been remove from both core modules and plugins for
> better utf-8 compatibility, there has been also some other utf-8 related
> fixes.
> The spamc(1) client can now be build against OpenSSL 1.1.0.
> The test framework has been switched to Test::More module.
>
> Other updates
> -------------
>
> Documentation was updated or enhanced. Project's testing and evaluation
> hosts and tools running on the ASF infrastructure were updated.
>
> A list of top-level domains in registrar boundaries was updated.
>
> Optimizations
> -------------
>
> Faster startup of the SpamAssassin daemon.
> Spamc client now correctly free(3) all the memory it uses.
>
> Downloading and availability
> ----------------------------
>
> Downloads are available from:
>
> https://spamassassin.apache.org/downloads.cgi
>
> sha256sum of archive files:
>
> cf03045a4991752145eed007e75737f3e4c7f34cf225db411ce3fd359280e8da
> Mail-SpamAssassin-3.4.2.tar.bz2
> 8a1c139ee08f140d3d3fdf13e03d98cf68a5cae27a082c4a614d154565a3c34f
> Mail-SpamAssassin-3.4.2.tar.gz
> c76841929fa53cf0adeb924797195c66da207ab6739553fd62634f94f2dcd875
> Mail-SpamAssassin-3.4.2.zip
> 8d481a2081f1e62a2579238f66b58d2124f7a2e9f3cfa3d4aa2b03fe7b0199bb
> Mail-SpamAssassin-rules-3.4.2.r1840640.tgz
>
> sha512sum of archive files:
>
>
>
> fe3d9d1d7b9fed3063549afd071066729f1f4d998be91ded1e5afc29bb37c7a298dc5f8f99a282b75435d317b5b5072a81393134ccfe059a73d953e26a9c3885
> Mail-SpamAssassin-3.4.2.tar.bz2
>
>
> 85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f
> Mail-SpamAssassin-3.4.2.tar.gz
>
>
> 9545c1cd55c31f23ba8f8421f78306657a068004a27cab8cd094eb9bc7c8d94cdb4803089318f2c0cefb9b817fa3f1cfb7cb817913027c0c93b5d639937ee05c
> Mail-SpamAssassin-3.4.2.zip
>
>
> 38b5f4dc6e6776937e787123c265ecd9a0a2f60aca1b57d6ed4a8f78cf81550478eddd0829b1255e9e8ce64421e06cc13ae82f1a597e893b65f0d07ba8c53a7f
> Mail-SpamAssassin-rules-3.4.2.r1840640.tgz
>
> Note that the *-rules-*.tgz files are only necessary if you cannot,
> or do not wish to, run "sa-update" after install to download the latest
> fresh rules.
>
> See the INSTALL and UPGRADE files in the distribution for important
> installation notes.
>
>
> GPG Verification Procedure
> --------------------------
> The release files also have a .asc accompanying them. The file serves
> as an external GPG signature for the given release file. The signing
> key is available via the wwwkeys.pgp.net key server, as well as
> https://www.apache.org/dist/spamassassin/KEYS
>
> The key information is:
>
> pub 4096R/F7D39814 2009-12-02
> Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
> uid SpamAssassin Project Management Committee
> <pr...@spamassassin.apache.org>
> uid SpamAssassin Signing Key (Code Signing Key,
> replacement for 1024D/265FA05B) <de...@spamassassin.apache.org>
> sub 4096R/7B3265A5 2009-12-02
>
> To verify a release file, download the file with the accompanying .asc
> file and run the following commands:
>
> gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
> gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc
> gpg --fingerprint F7D39814
>
> Then verify that the key matches the signature.
>
> Note that older versions of gnupg may not be able to complete the steps
> above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
> worked flawlessly.
>
> See https://www.apache.org/info/verification.html for more information
> on verifying Apache releases.
>
>
> About Apache SpamAssassin
> -------------------------
>
> Apache SpamAssassin is a mature, widely-deployed open source project
> that serves as a mail filter to identify spam. SpamAssassin uses a
> variety of mechanisms including mail header and text analysis, Bayesian
> filtering, DNS blocklists, and collaborative filtering databases. In
> addition, Apache SpamAssassin has a modular architecture that allows
> other technologies to be quickly incorporated as an addition or as a
> replacement for existing methods.
>
> Apache SpamAssassin typically runs on a server, classifies and labels
> spam before it reaches your mailbox, while allowing other components of
> a mail system to act on its results.
>
> Most of the Apache SpamAssassin is written in Perl, with heavily
> traversed code paths carefully optimized. Benefits are portability,
> robustness and facilitated maintenance. It can run on a wide variety of
> POSIX platforms.
>
> The server and the Perl library feels at home on Unix and Linux platforms
> and reportedly also works on MS Windows systems under ActivePerl.
>
> For more information, visit https://spamassassin.apache.org/
>
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides
> organizational, legal, and financial support for more than 100
> freely-available, collaboratively-developed Open Source projects. The
> pragmatic Apache License enables individual and commercial users to
> easily deploy Apache software; the Foundation's intellectual property
> framework limits the legal exposure of its 2,500+ contributors.
>
> For more information, visit https://www.apache.org/
>
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
> --
rickygm
http://gnuforever.homelinux.com
[SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
issues of security note.
First, a denial of service vulnerability that exists in all modern versions.
The vulnerability arises with certain unclosed tags in emails that cause
markup to be handled incorrectly leading to scan timeouts.
In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
into the begin and end tag event handlers In both cases, the "open"
event is immediately followed by a "close" event - even if the tag *does
not* close in the HTML being parsed.
Because of this, we are missing the "text" event to deal with the object
normally. This can cause carefully crafted emails that might take more
scan time than expected leading to a Denial of Service.
The issue is possibly a bug or design decision in HTML::Parser that
specifically impacts the way Apache SpamAssassin uses the module with
poorly formed html.
The exploit has been seen in the wild but not believe to have been
purposefully part of a Denial of Service attempt. We are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.4.2 as soon as possible.
This issue has been assigned CVE id CVE-2017-15705 [2].
Second, this release also fixes a reliance on "." in @INC in one
configuration script. Whether this can be exploited in any way is
uncertain.
This issue has been assigned CVE id CVE-2016-1238 [3].
Third, this release fixes a potential Remote Code Execution bug with the
PDFInfo plugin. Thanks to cPanel Security Team for their report of this
issue.
This issue has been assigned CVE id CVE-2018-11780 [4].
Fourth, this release fixes a local user code injection in the meta rule
syntax. Thanks again to cPanel Security Team for their report of this issue.
This issue has been assigned CVE id CVE-2018-11781 [5].
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
SpamAssassin 3.4.2 -- RPM for CentOS 5
Posted by Amir Caspi <ce...@3phase.com>.
Hi all,
I finally had some bandwidth and was able to get an RPM built for CentOS 5. I used Kevin Fenzi's CentOS 6 source RPM from COPR rather than one from Fedora, though I imagine Fedora would probably work just fine. The only thing I had to do to get this to work was to install the perl-interpreter and perl-generators dependencies, which had to also be built from SRPM (they are dummy packages but required, and not available on CentOS 5)... and to specify the buildroot for the SA SRPM.
For anyone still running this ancient and decrepit (and EOL) OS, here are instructions that should hopefully work:
1) Grab the perl-generators SRPM from Fedora.. We need this because it's not on CentOS 5, but is required by SA.
wget https://dl.fedoraproject.org/pub/epel/6/SRPMS/Packages/p/perl-generators-1.08-5.el6.src.rpm
2) As an unprivileged user (e.g., mockbuild), install the spec file:
rpm --nomd5 -i perl-generators-1.08-5.el6.src.rpm
3) Go to where the spec file was installed (probably /usr/src/redhat/SPECS unless you specified a different directory)
3.5) Edit the spec file: under perl-interpreter, change Version to 5.8.8 (optionally change Epoch to 2).
4) Build and install the perl-generators RPM:
[NOT AS ROOT] rpmbuild -ba perl-generators.spec
[AS ROOT] yum localinstall --nogpgcheck /usr/src/redhat/RPMS/noarch/perl-interpreter-5.8.8-5.noarch.rpm /usr/src/redhat/RPMS/noarch/perl-generators-1.08-5.noarch.rpm
5) Grab the SA 3.4.2 SRPM from Kevin Fenzi (this may work fine with the Fedora SRPM too):
wget https://copr-be.cloud.fedoraproject.org/results/kevin/spamassassin-el/epel-6-x86_64/00801043-spamassassin/spamassassin-3.4.2-2.el6.src.rpm
6) As unprivileged, install the spec file:
rpm --nomd5 -i spamassassin-3.4.2-2.el6.src.rpm
7) Build and install... note that we have to specify BuildRoot because otherwise it will try to install into /usr/bin (not sure why this isn't defaulted):
[NOT AS ROOT] rpmbuild -ba --buildroot /var/tmp/build /usr/src/redhat/SPECS/spamassassin.spec
[AS ROOT] yum localinstall --nogpgcheck /usr/src/redhat/RPMS/$HOSTTYPE/spamassassin-3.4.2-2.i386.rpm
Of course, if you are missing any dependencies during step 6 or 7, install those, then try again...
So far, no problems here.
I can make the actual built RPMs available if anyone wants them...
Cheers.
--- Amir
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Mon, 17 Sep 2018 15:22:48 -0400
"Kevin A. McGrail" <km...@apache.org> wrote:
[snip]
> Good to know. Did the Makefile.PL gracefully tell you that your
> Makemaker was too old?
It did indeed, which made the fix very simple. Thanks for your hard work!
Regards,
Dianne.
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by "Kevin A. McGrail" <km...@apache.org>.
On 9/17/2018 3:05 PM, Dianne Skoll wrote:
> On Mon, 17 Sep 2018 13:22:32 -0400
> "Kevin A. McGrail" <km...@apache.org> wrote:
>
>> I'd be pretty shocked if you have to do very much to that src rpm for
>> 3.4.1 to get 3.4.2 working.
> I ran into one gotcha on (ancient) Debian 5; the version of
> ExtUtils::MakeMaker was too old. Installing from CPAN did the trick. I'd
> imagine something similar might happen on ancient Red Hat Enterprise Linux 5.
Good to know. Did the Makefile.PL gracefully tell you that your
Makemaker was too old?
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Mon, 17 Sep 2018 13:22:32 -0400
"Kevin A. McGrail" <km...@apache.org> wrote:
> I'd be pretty shocked if you have to do very much to that src rpm for
> 3.4.1 to get 3.4.2 working.
I ran into one gotcha on (ancient) Debian 5; the version of
ExtUtils::MakeMaker was too old. Installing from CPAN did the trick. I'd
imagine something similar might happen on ancient Red Hat Enterprise Linux 5.
Regards,
Dianne.
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Monday, September 17, 2018 3:13 PM -0400 "Kevin A. McGrail"
<km...@apache.org> wrote:
> You can install the srpm and then in
> /usr/src/RedHat you get various files like tar files and patches with a
> spec file that says how to build it.
That path would be if you were building as root, which is not recommended.
I suggest creating a user just for making RPMs. Switch to that user and run
rpmdev-setuptree to set up your packaging environment under ~/rpmbuild.
Some initial help to get one started:
<https://www.g-loaded.eu/2006/04/05/how-to-build-rpm-packages-on-fedora/>
<http://www.city-fan.org/tips/CreateRPMBuildEnvironment>
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by "Kevin A. McGrail" <km...@apache.org>.
Recommend you might take a look. You can install the srpm and then in
/usr/src/RedHat you get various files like tar files and patches with a
spec file that says how to build it. Some are complex, some are easy.
Then you rpmbuild to make an RPM that you can install.
If you can do a batch file, you can likely use an rpm spec file.
Regards,
KAM
On 9/17/2018 1:58 PM, Amir Caspi wrote:
>> On Sep 17, 2018, at 11:22 AM, Kevin A. McGrail <km...@apache.org> wrote:
>>
>> I'd be pretty shocked if you have to do very much to that src rpm for
>> 3.4.1 to get 3.4.2 working.
> Possibly if I knew what I was doing with src rpms, that would be the case. ;-) Hoping someone who knows a lot more than I do is already working on it...
>
> --- Amir
>
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Amir Caspi <ce...@3phase.com>.
> On Sep 17, 2018, at 11:22 AM, Kevin A. McGrail <km...@apache.org> wrote:
>
> I'd be pretty shocked if you have to do very much to that src rpm for
> 3.4.1 to get 3.4.2 working.
Possibly if I knew what I was doing with src rpms, that would be the case. ;-) Hoping someone who knows a lot more than I do is already working on it...
--- Amir
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by "Kevin A. McGrail" <km...@apache.org>.
I'd be pretty shocked if you have to do very much to that src rpm for
3.4.1 to get 3.4.2 working.
On 9/17/2018 1:19 PM, Amir Caspi wrote:
> Is there anyone so kind as to perhaps make an RPM for CentOS 5? There are still more than a few dinosaurs running that OS that can't upgrade but would love to have SA.
>
> I could probably build it from the src rpm but I'm not an expert...
>
> Kevin Fenzi has a repo with 3.4.1 for CentOS 5 and 6, but I don't know if he plans to update it with 3.4.2...
>
> Cheers.
>
> --- Amir
>
>> On Sep 16, 2018, at 11:30 PM, Reio Remma <re...@mrstuudio.ee> wrote:
>>
>> On 17.09.2018 4:13, Ricky Gutierrez wrote:
>>> Reio hi, Could you please share the rpm o src for centOS?
>> Download link @WeTransfer:
>>
>> https://we.tl/t-CbvKhwJoCA
>>
>> spamassassin-3.4.2-0.el7.x86_64.rpm
>>
>> Will be deleted on 24 September, 2018.
>>
>> Good luck,
>> Reio
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Amir Caspi <ce...@3phase.com>.
Is there anyone so kind as to perhaps make an RPM for CentOS 5? There are still more than a few dinosaurs running that OS that can't upgrade but would love to have SA.
I could probably build it from the src rpm but I'm not an expert...
Kevin Fenzi has a repo with 3.4.1 for CentOS 5 and 6, but I don't know if he plans to update it with 3.4.2...
Cheers.
--- Amir
> On Sep 16, 2018, at 11:30 PM, Reio Remma <re...@mrstuudio.ee> wrote:
>
> On 17.09.2018 4:13, Ricky Gutierrez wrote:
>> Reio hi, Could you please share the rpm o src for centOS?
>
> Download link @WeTransfer:
>
> https://we.tl/t-CbvKhwJoCA
>
> spamassassin-3.4.2-0.el7.x86_64.rpm
>
> Will be deleted on 24 September, 2018.
>
> Good luck,
> Reio
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Ricky Gutierrez <xs...@gmail.com>.
El El dom, sep. 16, 2018 a las 11:31 p. m., Reio Remma <re...@mrstuudio.ee>
escribió:
>
> Download link @WeTransfer:
>
> https://we.tl/t-CbvKhwJoCA
>
> spamassassin-3.4.2-0.el7.x86_64.rpm
>
> Will be deleted on 24 September, 2018.
>
> Good luck,
> Reio
Thnk
>
> --
rickygm
http://gnuforever.homelinux.com
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Reio Remma <re...@mrstuudio.ee>.
On 17.09.2018 4:13, Ricky Gutierrez wrote:
> Reio hi, Could you please share the rpm o src for centOS?
Download link @WeTransfer:
https://we.tl/t-CbvKhwJoCA
spamassassin-3.4.2-0.el7.x86_64.rpm
Will be deleted on 24 September, 2018.
Good luck,
Reio
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Ricky Gutierrez <xs...@gmail.com>.
Reio hi, Could you please share the rpm o src for centOS?
El El dom, sep. 16, 2018 a las 2:10 p. m., Reio Remma <re...@mrstuudio.ee>
escribió:
>
>
> Wonderful, thank you all for your hard work!
>
> I encountered no problems at all when building a new RPM for CentOS 7.
>
> Thanks and good luck,
> Reio
>
--
rickygm
http://gnuforever.homelinux.com
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Reio Remma <re...@mrstuudio.ee>.
On 16.09.2018 18:03, Kevin A. McGrail wrote:
> Good Morning,
>
> On behalf of the Apache SpamAssassin Project Management Committee, I am
> very pleased to announce the release of Apache SpamAssassin v3.4.2.
> This release contains security bug fixes. A security announcement will
> follow within the next 24 hours.
>
Wonderful, thank you all for your hard work!
I encountered no problems at all when building a new RPM for CentOS 7.
Thanks and good luck,
Reio
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Chris <cp...@embarqmail.com>.
On Sun, 2018-09-16 at 20:54 -0400, Kevin A. McGrail wrote:
> Please point them here if they need help. It is a good drop in
> upgrade.
I would assume it being a security update they'd be on the ball. I'll
wait a few days before I ask about it. I could install via cpan but
would rather wait on the package since that's what was installed when I
did the 16.04->18.04 upgrade.
apt-cache policy spamassassinspamassassin: Installed: 3.4.1-8build1
Candidate: 3.4.1-8build1Version table: *** 3.4.1-8build1 500 500
http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
> On Sun, Sep 16, 2018, 20:45 Chris <cp...@embarqmail.com> wrote:
> > On Sun, 2018-09-16 at 11:03 -0400, Kevin A. McGrail wrote:
> >
> > > Good Morning,
> >
> > >
> >
> > > On behalf of the Apache SpamAssassin Project Management
> > Committee, I
> >
> > > am
> >
> > > very pleased to announce the release of Apache SpamAssassin
> > v3.4.2.
> >
> > > This release contains security bug fixes. A security
> > announcement
> >
> > > will
> >
> > > follow within the next 24 hours.
> >
> > >
> >
> > > Apache SpamAssassin can be downloaded from
> >
> > > https://spamassassin.apache.org/downloads.cgi and via cpan
> >
> > > (Mail::SpamAssassin).
> >
> > >
> >
> > I assume that once the Ubuntu folks get the security announcement
> >
> > they'll build and release the 3.4.2 package?
> >
> >
> >
> > >
> >
--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:02:34 up 1 day, 2:33, 2 users, load average: 0.99, 0.79, 0.87
Description: Ubuntu 18.04.1 LTS, kernel 4.15.0-34-generic
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by "Kevin A. McGrail" <km...@apache.org>.
Please point them here if they need help. It is a good drop in upgrade.
On Sun, Sep 16, 2018, 20:45 Chris <cp...@embarqmail.com> wrote:
> On Sun, 2018-09-16 at 11:03 -0400, Kevin A. McGrail wrote:
> > Good Morning,
> >
> > On behalf of the Apache SpamAssassin Project Management Committee, I
> > am
> > very pleased to announce the release of Apache SpamAssassin v3.4.2.
> > This release contains security bug fixes. A security announcement
> > will
> > follow within the next 24 hours.
> >
> > Apache SpamAssassin can be downloaded from
> > https://spamassassin.apache.org/downloads.cgi and via cpan
> > (Mail::SpamAssassin).
> >
> I assume that once the Ubuntu folks get the security announcement
> they'll build and release the 3.4.2 package?
>
> >
> --
> Chris
> KeyID 0xE372A7DA98E6705C
> 31.11972; -97.90167 (Elev. 1092 ft)
> 19:44:06 up 1 day, 2:14, 2 users, load average: 0.89, 1.11, 1.00
> Description: Ubuntu 18.04.1 LTS, kernel 4.15.0-34-generic
>
Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Posted by Chris <cp...@embarqmail.com>.
On Sun, 2018-09-16 at 11:03 -0400, Kevin A. McGrail wrote:
> Good Morning,
>
> On behalf of the Apache SpamAssassin Project Management Committee, I
> am
> very pleased to announce the release of Apache SpamAssassin v3.4.2.
> This release contains security bug fixes. A security announcement
> will
> follow within the next 24 hours.
>
> Apache SpamAssassin can be downloaded from
> https://spamassassin.apache.org/downloads.cgi and via cpan
> (Mail::SpamAssassin).
>
I assume that once the Ubuntu folks get the security announcement
they'll build and release the 3.4.2 package?
>
--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:44:06 up 1 day, 2:14, 2 users, load average: 0.89, 1.11, 1.00
Description: Ubuntu 18.04.1 LTS, kernel 4.15.0-34-generic
[SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
issues of security note.
First, a denial of service vulnerability that exists in all modern versions.
The vulnerability arises with certain unclosed tags in emails that cause
markup to be handled incorrectly leading to scan timeouts.
In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
into the begin and end tag event handlers In both cases, the "open"
event is immediately followed by a "close" event - even if the tag *does
not* close in the HTML being parsed.
Because of this, we are missing the "text" event to deal with the object
normally. This can cause carefully crafted emails that might take more
scan time than expected leading to a Denial of Service.
The issue is possibly a bug or design decision in HTML::Parser that
specifically impacts the way Apache SpamAssassin uses the module with
poorly formed html.
The exploit has been seen in the wild but not believe to have been
purposefully part of a Denial of Service attempt. We are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.4.2 as soon as possible.
This issue has been assigned CVE id CVE-2017-15705 [2].
Second, this release also fixes a reliance on "." in @INC in one
configuration script. Whether this can be exploited in any way is
uncertain.
This issue has been assigned CVE id CVE-2016-1238 [3].
Third, this release fixes a potential Remote Code Execution bug with the
PDFInfo plugin. Thanks to cPanel Security Team for their report of this
issue.
This issue has been assigned CVE id CVE-2018-11780 [4].
Fourth, this release fixes a local user code injection in the meta rule
syntax. Thanks again to cPanel Security Team for their report of this issue.
This issue has been assigned CVE id CVE-2018-11781 [5].
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705,
CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.2 was recently released [1], and fixes several
issues of security note.
First, a denial of service vulnerability that exists in all modern versions.
The vulnerability arises with certain unclosed tags in emails that cause
markup to be handled incorrectly leading to scan timeouts.
In Apache SpamAssassin, using HTML::Parser, we setup an object and hook
into the begin and end tag event handlers In both cases, the "open"
event is immediately followed by a "close" event - even if the tag *does
not* close in the HTML being parsed.
Because of this, we are missing the "text" event to deal with the object
normally. This can cause carefully crafted emails that might take more
scan time than expected leading to a Denial of Service.
The issue is possibly a bug or design decision in HTML::Parser that
specifically impacts the way Apache SpamAssassin uses the module with
poorly formed html.
The exploit has been seen in the wild but not believe to have been
purposefully part of a Denial of Service attempt. We are concerned that
there may be attempts to abuse the vulnerability in the future.
Therefore, we strongly recommend all users of these versions upgrade to
Apache SpamAssassin 3.4.2 as soon as possible.
This issue has been assigned CVE id CVE-2017-15705 [2].
Second, this release also fixes a reliance on "." in @INC in one
configuration script. Whether this can be exploited in any way is
uncertain.
This issue has been assigned CVE id CVE-2016-1238 [3].
Third, this release fixes a potential Remote Code Execution bug with the
PDFInfo plugin. Thanks to cPanel Security Team for their report of this
issue.
This issue has been assigned CVE id CVE-2018-11780 [4].
Fourth, this release fixes a local user code injection in the meta rule
syntax. Thanks again to cPanel Security Team for their report of this issue.
This issue has been assigned CVE id CVE-2018-11781 [5].
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://lists.apache.org/thread.html/1ac11532235b5459aa16c4e9d636bf4aa0b141d347d1361e40cc1b78@%3Cannounce.apache.org%3E
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15705
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@spamassassin.apache.org
For additional commands, e-mail: announce-help@spamassassin.apache.org