Red Hat Product Errata RHSA-2020:4625 - Security Advisory

Issued:: 2020-11-03
Updated:: 2020-11-03

RHSA-2020:4625 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: spamassassin security update

Type/Severity

Security Advisory: Moderate

Topic

An update for spamassassin is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The SpamAssassin tool provides a way to reduce unsolicited commercial email (spam) from incoming email.

Security Fix(es):

spamassassin: crafted configuration files can run system commands without any output or errors (CVE-2018-11805)
spamassassin: crafted email message can lead to DoS (CVE-2019-12420)
spamassassin: command injection via crafted configuration file (CVE-2020-1930)
spamassassin: command injection via crafted configuration file (CVE-2020-1931)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

BZ - 1630362 - Obsolete channel sought.conf should be removed
BZ - 1784974 - CVE-2018-11805 spamassassin: crafted configuration files can run system commands without any output or errors
BZ - 1784984 - CVE-2019-12420 spamassassin: crafted email message can lead to DoS
BZ - 1802975 - CVE-2020-1931 spamassassin: command injection via crafted configuration file
BZ - 1802977 - CVE-2020-1930 spamassassin: command injection via crafted configuration file

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
spamassassin-3.4.2-10.el8.src.rpm	SHA-256: f1ada66298b31ca4433712f6b18c37c96cbc2e1e5990c249880fd2921a2a8926
x86_64
spamassassin-3.4.2-10.el8.x86_64.rpm	SHA-256: dcea53aa3a759ce1df58bf0c84057cee117c7ff72689e2b36e84ed1d3a9e850f
spamassassin-debuginfo-3.4.2-10.el8.x86_64.rpm	SHA-256: c728602dbaf311ab35a0514abb34941cb405a03409f3c1b951e78db140805951
spamassassin-debugsource-3.4.2-10.el8.x86_64.rpm	SHA-256: 41895c4e352364f4c341e2c77e1a0606392455b624d05257ecf85940334ec057

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
spamassassin-3.4.2-10.el8.src.rpm	SHA-256: f1ada66298b31ca4433712f6b18c37c96cbc2e1e5990c249880fd2921a2a8926
s390x
spamassassin-3.4.2-10.el8.s390x.rpm	SHA-256: f6621dcb83a0035ad04132e0da48726ce6d5c0eb515caf5cfdf4abfc80619a6e
spamassassin-debuginfo-3.4.2-10.el8.s390x.rpm	SHA-256: fba6873856a8bd5ac21983192a29f26e86fb11ac9b80c7883d1bc4fd55051600
spamassassin-debugsource-3.4.2-10.el8.s390x.rpm	SHA-256: 6f3e8f91bbb352a1509cf9cb9aea3ba4ba0eb85ff62e9501d92dca51e467c458

Red Hat Enterprise Linux for Power, little endian 8

SRPM
spamassassin-3.4.2-10.el8.src.rpm	SHA-256: f1ada66298b31ca4433712f6b18c37c96cbc2e1e5990c249880fd2921a2a8926
ppc64le
spamassassin-3.4.2-10.el8.ppc64le.rpm	SHA-256: a92c592818c409a4556f1dfe3fdf8bd8321eb579c429393ebefefa81bc72baa3
spamassassin-debuginfo-3.4.2-10.el8.ppc64le.rpm	SHA-256: c2530c22176b8106f84d18e41d5598fc9d17b1ab2b84bebb776e7fa9076ef02b
spamassassin-debugsource-3.4.2-10.el8.ppc64le.rpm	SHA-256: b293aba513a057648613ed659deb2106c839057a1f30523252f40031b0eabfed

Red Hat Enterprise Linux for ARM 64 8

SRPM
spamassassin-3.4.2-10.el8.src.rpm	SHA-256: f1ada66298b31ca4433712f6b18c37c96cbc2e1e5990c249880fd2921a2a8926
aarch64
spamassassin-3.4.2-10.el8.aarch64.rpm	SHA-256: 77f6d090f252441ac3a64a783ab7e5e87603ccf22008567a6db0d0a50a090d39
spamassassin-debuginfo-3.4.2-10.el8.aarch64.rpm	SHA-256: f95b8a117477a0d526b2b48baa878fbbae6bac1953cd10dc396b5ea56c27b088
spamassassin-debugsource-3.4.2-10.el8.aarch64.rpm	SHA-256: 65d512f64ced047997162407783b1d679e662094d4d9c4958bafd4b4de7bda56

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories