FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

spamassassin -- multiple vulnerabilities

Affected packages
spamassassin < 3.4.2

Details

VuXML ID 613193a0-c1b4-11e8-ae2d-54e1ad3d6335
Discovery 2018-09-16
Entry 2018-09-26

the Apache Spamassassin project reports:

In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed.

Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service.

Fix a reliance on "." in @INC in one configuration script. Whether this can be exploited in any way is uncertain.

Fix a potential Remote Code Execution bug with the PDFInfo plugin. Thanks to cPanel Security Team for their report of this issue.

Fourth, this release fixes a local user code injection in the meta rule syntax. Thanks again to cPanel Security Team for their report of this issue.

References

CVE Name CVE-2016-1238
CVE Name CVE-2017-15705
CVE Name CVE-2018-11780
CVE Name CVE-2018-11781
URL https://seclists.org/oss-sec/2018/q3/242