Re: spamassassin security update in Debian jessie LTS

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: noahm@debian.org, debian-lts@lists.debian.org
Subject: Re: spamassassin security update in Debian jessie LTS
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Fri, 31 Jan 2020 17:16:53 +0100
Message-id: <[🔎] 20200131161653.GA25100@fantomas.sk>
Mail-followup-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, noahm@debian.org, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20200131143151.Horde.6A5QXoCFCFQKLH0XEP9--G5@mail.das-netzwerkteam.de>
References: <[🔎] 20200131143151.Horde.6A5QXoCFCFQKLH0XEP9--G5@mail.das-netzwerkteam.de>

On 31.01.20 14:31, Mike Gabriel wrote:

Hi Noah, dear LTS contributors,


Helo guys,

I am about to look into CVE-2020-1930 and CVE-2020-1931 reportedagainst spamassassin.
The issues have been fixed in 3.4.4~rc1


FYI, 3.4.4 was released two days ago...

and as spamassassin has beenupstream version bumped in Debian jessie LTS before, I am asking foryour opinion, if you'd rather recommend cherry-picking the fixes(which I haven't been able to identify yet in upstream SVN) or simplyupstream version bump spamassassin in jessie LTS once more.
@LTS team: sharing your feedback / opinions will be much appreciated, too.


... and I discussed this with some people on spamassassin mailing list.


quoting one mail[1]:

Key to the issue is I fail to see how the highly intrusive security work

done for 3.4.3 can possibly be backported.

My recommendation remains a strong: upgrade to 3.4.4.


and its reply[2]

The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are
roughly 100kb in size.

I can't guess how big would be the fix now. the decision is of course up to you.


[1]
https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/<32172386-a795-1bea-ad6f-05218d5dbef0@apache.org>

[2]
https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/<fd12a2af-b8c8-8521-9e27-64232cebf571@arcsin.de>


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Reply to:

Follow-Ups:
- Re: spamassassin security update in Debian jessie LTS
  - From: Noah Meyerhans <noahm@debian.org>
- Re: spamassassin security update in Debian jessie LTS
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

References:
- spamassassin security update in Debian jessie LTS
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: spamassassin security update in Debian jessie LTS
Next by Date: Re: [CVE-2019-17026] Firefox Security Advisory 2020-03
Previous by thread: spamassassin security update in Debian jessie LTS
Next by thread: Re: spamassassin security update in Debian jessie LTS
Index(es):
- Date
- Thread