Medium: spamassassin

2020-02-04T22:46:00
ID ALAS-2020-1341
Type amazon
Reporter Amazon
Modified 2020-02-04T22:46:00

Description

Issue Overview:

In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420 __)

In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805 __)

Affected Packages:

spamassassin

Issue Correction:
Run yum update spamassassin to update your system.

New Packages:

i686:  
    spamassassin-3.4.3-2.2.amzn1.i686  
    spamassassin-debuginfo-3.4.3-2.2.amzn1.i686

src:  
    spamassassin-3.4.3-2.2.amzn1.src

x86_64:  
    spamassassin-3.4.3-2.2.amzn1.x86_64  
    spamassassin-debuginfo-3.4.3-2.2.amzn1.x86_64