FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e3404a6e-4364-11ea-b643-206a8a720317spamassassin -- Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings

the Apache Spamassassin project reports:

nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings.


Discovery 2020-01-30
Entry 2020-01-30
spamassassin
< 3.4.4

https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1931
CVE-2020-1931
c86bfee3-4441-11ea-8be3-54e1ad3d6335spamassassin -- Nefarious rule configuration files can run system commands

The Apache SpamAssassin project reports:

A nefarious rule configuration (.cf) files can be configured to run system commands. This issue is less stealthy and attempts to exploit the issue will throw warnings.

Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.


Discovery 2020-01-28
Entry 2020-01-31
spamassassin
< 3.4.4

https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache.org%3e
CVE-2020-1930
CVE-2020-1931
70111759-1dae-11ea-966a-206a8a720317spamassassin -- multiple vulnerabilities

the Apache Spamassassin project reports:

An input validation error of user-supplied input parsing multipart emails. Specially crafted emails can consume all resources on the system.

A local user is able to execute arbitrary shell commands through specially crafted nefarious CF files.


Discovery 2019-12-11
Entry 2019-12-13
spamassassin
< 3.4.3

https://www.cybersecurity-help.cz/vdb/SB2019121311
CVE-2019-12420
CVE-2018-11805
ec04f3d0-8cd9-11eb-bb9f-206a8a720317spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands

The Apache SpamAssassin project reports:

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.


Discovery 2021-03-24
Entry 2021-03-24
spamassassin
< 3.4.5

https://spamassassin.apache.org/news.html
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
CVE-2020-1946