Re: spamassassin security update in Debian jessie LTS
On 31.01.20 14:31, Mike Gabriel wrote:
Hi Noah, dear LTS contributors,
I am about to look into CVE-2020-1930 and CVE-2020-1931 reported
The issues have been fixed in 3.4.4~rc1
FYI, 3.4.4 was released two days ago...
and as spamassassin has been
upstream version bumped in Debian jessie LTS before, I am asking for
your opinion, if you'd rather recommend cherry-picking the fixes
(which I haven't been able to identify yet in upstream SVN) or simply
upstream version bump spamassassin in jessie LTS once more.
@LTS team: sharing your feedback / opinions will be much appreciated, too.
... and I discussed this with some people on spamassassin mailing list.
quoting one mail:
Key to the issue is I fail to see how the highly intrusive security work
done for 3.4.3 can possibly be backported.
My recommendation remains a strong: upgrade to 3.4.4.
and its reply
The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are
roughly 100kb in size.
I can't guess how big would be the fix now. the decision is of course up to you.
Matus UHLAR - fantomas, email@example.com ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95