Security update for spamassassin

Announcement ID:	SUSE-SU-2019:2011-1
Rating:	moderate
References:	bsc#1069831 bsc#1107765 bsc#1108745 bsc#1108748 bsc#1108749 bsc#1108750 bsc#1115411
Cross-References:	CVE-2016-1238 CVE-2017-15705 CVE-2018-11780 CVE-2018-11781
CVSS scores:	CVE-2016-1238 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2016-1238 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-1238 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-15705 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-15705 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-11780 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-11780 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-11781 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-11781 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Basesystem Module 15 Development Tools Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves four vulnerabilities and has three security fixes can now be installed.

Description:

This update for spamassassin to version 3.4.2 fixes the following issues:

Security issues fixed:

• CVE-2018-11781: Fixed an issue where a local user could inject code in the meta rule syntax (bsc#1108748).
• CVE-2018-11780: Fixed a potential remote code execution vulnerability in the PDFInfo plugin (bsc#1108750).
• CVE-2017-15705: Fixed a denial of service through unclosed tags in crafted emails (bsc#1108745).
• CVE-2016-1238: Fixed an issue where perl would load modules from the current directory (bsc#1108749).

Non-security issues fixed:

• Use systemd timers instead of cron (bsc#1115411)
• Fixed incompatibility with Net::DNS >= 1.01 (bsc#1107765)
• Fixed warning about deprecated regex during sa-update (bsc#1069831)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2011=1
• Development Tools Module 15
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2011=1

Package List:

• Basesystem Module 15 (aarch64 ppc64le s390x x86_64)
  • spamassassin-3.4.2-7.4.1
  • spamassassin-debugsource-3.4.2-7.4.1
  • perl-Mail-SpamAssassin-3.4.2-7.4.1
  • spamassassin-debuginfo-3.4.2-7.4.1
• Development Tools Module 15 (aarch64 ppc64le s390x x86_64)
  • perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.4.1

References:

• https://www.suse.com/security/cve/CVE-2016-1238.html
• https://www.suse.com/security/cve/CVE-2017-15705.html
• https://www.suse.com/security/cve/CVE-2018-11780.html
• https://www.suse.com/security/cve/CVE-2018-11781.html
• https://bugzilla.suse.com/show_bug.cgi?id=1069831
• https://bugzilla.suse.com/show_bug.cgi?id=1107765
• https://bugzilla.suse.com/show_bug.cgi?id=1108745
• https://bugzilla.suse.com/show_bug.cgi?id=1108748
• https://bugzilla.suse.com/show_bug.cgi?id=1108749
• https://bugzilla.suse.com/show_bug.cgi?id=1108750
• https://bugzilla.suse.com/show_bug.cgi?id=1115411