HI Matus, On Fr 31 Jan 2020 17:16:53 CET, Matus UHLAR - fantomas wrote:
On 31.01.20 14:31, Mike Gabriel wrote:Hi Noah, dear LTS contributors,Helo guys,I am about to look into CVE-2020-1930 and CVE-2020-1931 reported against spamassassin.The issues have been fixed in 3.4.4~rc1FYI, 3.4.4 was released two days ago...and as spamassassin has been upstream version bumped in Debian jessie LTS before, I am asking for your opinion, if you'd rather recommend cherry-picking the fixes (which I haven't been able to identify yet in upstream SVN) or simply upstream version bump spamassassin in jessie LTS once more.@LTS team: sharing your feedback / opinions will be much appreciated, too.... and I discussed this with some people on spamassassin mailing list. quoting one mail[1]: Key to the issue is I fail to see how the highly intrusive security workdone for 3.4.3 can possibly be backported. My recommendation remains a strong: upgrade to 3.4.4.and its reply[2] The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are roughly 100kb in size.I can't guess how big would be the fix now. the decision is of course up to you. [1]https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/<32172386-a795-1bea-ad6f-05218d5dbef0@apache.org> [2] https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/<fd12a2af-b8c8-8521-9e27-64232cebf571@arcsin.de>
Looking into 3.4.4-1~deb8u3 right now... Thanks for the above feedback. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpRAlNBCqUI4.pgp
Description: Digitale PGP-Signatur