FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
70111759-1dae-11ea-966a-206a8a720317spamassassin -- multiple vulnerabilities

the Apache Spamassassin project reports:

An input validation error of user-supplied input parsing multipart emails. Specially crafted emails can consume all resources on the system.

A local user is able to execute arbitrary shell commands through specially crafted nefarious CF files.


Discovery 2019-12-11
Entry 2019-12-13
spamassassin
< 3.4.3

https://www.cybersecurity-help.cz/vdb/SB2019121311
CVE-2019-12420
CVE-2018-11805
ec04f3d0-8cd9-11eb-bb9f-206a8a720317spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands

The Apache SpamAssassin project reports:

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.


Discovery 2021-03-24
Entry 2021-03-24
spamassassin
< 3.4.5

https://spamassassin.apache.org/news.html
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
CVE-2020-1946
613193a0-c1b4-11e8-ae2d-54e1ad3d6335spamassassin -- multiple vulnerabilities

the Apache Spamassassin project reports:

In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed.

Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service.

Fix a reliance on "." in @INC in one configuration script. Whether this can be exploited in any way is uncertain.

Fix a potential Remote Code Execution bug with the PDFInfo plugin. Thanks to cPanel Security Team for their report of this issue.

Fourth, this release fixes a local user code injection in the meta rule syntax. Thanks again to cPanel Security Team for their report of this issue.


Discovery 2018-09-16
Entry 2018-09-26
spamassassin
< 3.4.2

https://seclists.org/oss-sec/2018/q3/242
CVE-2017-15705
CVE-2016-1238
CVE-2018-11780
CVE-2018-11781
e3404a6e-4364-11ea-b643-206a8a720317spamassassin -- Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings

the Apache Spamassassin project reports:

nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings.


Discovery 2020-01-30
Entry 2020-01-30
spamassassin
< 3.4.4

https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1931
CVE-2020-1931
c86bfee3-4441-11ea-8be3-54e1ad3d6335spamassassin -- Nefarious rule configuration files can run system commands

The Apache SpamAssassin project reports:

A nefarious rule configuration (.cf) files can be configured to run system commands. This issue is less stealthy and attempts to exploit the issue will throw warnings.

Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.


Discovery 2020-01-28
Entry 2020-01-31
spamassassin
< 3.4.4

https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache.org%3e
CVE-2020-1930
CVE-2020-1931