Document spamassassin - multiple vulnerabilities

Document spamassassin vulnerabilities, as found in this announcement: https://seclists.org/oss-sec/2018/q3/242
svn path=/head/; revision=480751
2024-12-02 01:20:54 +00:00 · 2018-09-26 18:09:07 +00:00 · 2018-09-26 18:09:07 +00:00 · dbb7082708 · 2021-03-31 03:12:20 +00:00
commit dbb7082708
parent f33bd9026a
1 changed files with 43 additions and 0 deletions
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -58,6 +58,49 @@ Notes:
  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="613193a0-c1b4-11e8-ae2d-54e1ad3d6335">
+    <topic>spamassassin -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>spamassassin</name>
+	<range><lt>3.4.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>the Apache Spamassassin project reports:</p>
+	<blockquote cite="https://seclists.org/oss-sec/2018/q3/242">
+	  <p>In Apache SpamAssassin, using HTML::Parser, we setup an object and
+	    hook into the begin and end tag event handlers  In both cases, the
+	    "open" event is immediately followed by a "close" event - even if
+	    the tag *does not* close in the HTML being parsed.</p>
+	  <p>Because of this, we are missing the "text" event to deal with
+	    the object normally.  This can cause carefully crafted emails that
+	    might take more scan time than expected leading to a Denial of
+	    Service.</p>
+	  <p>Fix a reliance on "." in @INC in one configuration script.  Whether
+	    this can be exploited in any way is uncertain.</p>
+	  <p>Fix a potential Remote Code Execution bug with the PDFInfo plugin.
+	    Thanks to cPanel Security Team for their report of this issue.</p>
+	  <p> Fourth, this release fixes a local user code injection in the
+	    meta rule syntax. Thanks again to cPanel Security Team for their
+	    report of this issue.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://seclists.org/oss-sec/2018/q3/242</url>
+        <cvename>CVE-2017-15705</cvename>
+	<cvename>CVE-2016-1238</cvename>
+	<cvename>CVE-2018-11780</cvename>
+	<cvename>CVE-2018-11781</cvename>
+    </references>
+    <dates>
+      <discovery>2018-09-16</discovery>
+      <entry>2018-09-26</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="bad59128-c188-11e8-9d40-f0def10dca57">
    <topic>wesnoth -- Code Injection vulnerability</topic>
    <affects>