From 49916e263d5f8f7fc1cbfe065e53b1ca7f153e03 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 24 Apr 2020 03:39:12 +0000 Subject: [PATCH] import spamassassin-3.4.2-9.el8 --- SOURCES/README.RHEL.Fedora | 3 -- SOURCES/sought.conf | 47 ------------------- ...pamassassin-3.4.2-fix-CVE-2019-12420.patch | 25 ++++++++++ SPECS/spamassassin.spec | 14 ++++-- 4 files changed, 36 insertions(+), 53 deletions(-) delete mode 100644 SOURCES/sought.conf create mode 100644 SOURCES/spamassassin-3.4.2-fix-CVE-2019-12420.patch diff --git a/SOURCES/README.RHEL.Fedora b/SOURCES/README.RHEL.Fedora index a504866..c4f64e0 100644 --- a/SOURCES/README.RHEL.Fedora +++ b/SOURCES/README.RHEL.Fedora @@ -26,9 +26,6 @@ override the daemon check in /etc/sysconfig/sa-update All sa-update channels are defined in files contained in this directory. See the existing config files as examples for writing your own config file. -4) SOUGHT Anti-Fraud Rule Channel is Enabled by Default -http://wiki.apache.org/spamassassin/SoughtRules - General Warnings ================ * DO NOT USE SARE or OpenProtect rules. They are old and outdated, and diff --git a/SOURCES/sought.conf b/SOURCES/sought.conf deleted file mode 100644 index f24d6c9..0000000 --- a/SOURCES/sought.conf +++ /dev/null @@ -1,47 +0,0 @@ -# http://wiki.apache.org/spamassassin/SoughtRules -CHANNELURL=sought.rules.yerp.org -KEYID=6C6191E3 -# Ignore everything below. -return 0 - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.1 (GNU/Linux) - -mQGiBEa/l+YRBACC+uJfIThEoEWrNxdDD/1tAwb5L8v7H3gGt+LtuOwwn5ZU7XsT -s1DOok1oZVRnTQJYdlth7QlU9wqijwLEVzW1LDWnxXXKwPmlTlkcdGoBcb+cBbYI -miJ/TlAetvbprcZdROS4Ey31GjPRmWPPnVE2Xcwy+e4+RmnhqfZBmOaE7wCgo1GG -pkik2OPD1le4LGGOGHL5HiED/0TyvTiSS3NnUtoDFQAPrnezOCjxv8zMjYEnJs/I -h7uyIgHRsbB75cD2O1LWyO8Vz8r/snVuG35zcZagPf/7Tc9AJoaxVmCIk9DEmWZp -iuvqpMhwHAbNvY3jY2oKsDl1rNx0IIctoJwjXia99kvNTHK/Yz/HqhIyLModhiMB -aYYZA/wIdPOHGHaP5vjlbWBwGlRR9m0Rf4ob5sul8MjCyehOYcRVLwfOEfzX308v -0enOGnbbBKXU2QvA0Z068aBmJkJaaPhlIjZApQJDsb7pt6k8jMPj/Xpr779wAFQ8 -IZC7Tw21OtqkjrUb3dZlEljrTwWNc6FVxuIidBBg7HCdP24WKLRESnVzdGluIE1h -c29uIFNpZ25pbmcgS2V5IChDb2RlIFNpZ25pbmcgT25seSkgPHNpZ25pbmdrZXlA -am1hc29uLm9yZz6IZAQTEQIAJAUCRr+X5gIbAwUJEswDAAYLCQgHAwIDFQIDAxYC -AQIeAQIXgAAKCRDchTQfbGGR4/GJAKCC6X6AF8nM+H00b/XeZl9vYihXBgCcDYuU -AtXjWWxndkneakmbnD0O4Z25BA0ERr+YdxAQAIYYUQHMzVsRAzpIRLfni0aeczrr -armwXMJ8y5p74lVLbJyQOjkQyIJWP80twrN8SjNyUFBr/52SlOPOuAbGZY1ZKpux -vkbsug2wWvkoj8xGjnexrSDahRgpNhf/otLRNTyUFZTM6mjZt0ItnYDl6xszY4kd -O5rVzjQuivNB4BsHcd8qQ7zVo9+VZ5R77iM4dtk6t5ycpXlAom5pD8qLb7ZzTVe0 -SuhzOeynF51rwjS+wa3hzZisvJqZA5uJcAyYslgP1UTW+2e5wutSktSZmL/XnlEF -p86GPjAgDPL2Q0TgzVL6sPt0blNCyzOJrcBqBHrgZfraYgqtmGepLpk72q4VD23c -aV2wTqjnfJAsNR3y8jgVNwF8LpXtlbxrBByFRwEqsc/gzdMEnJ728XBDqT2IhZLY -maL/WxiDKNWD/Mae69HTyInIYgrfT7nJKDeKQA81+e5+UmqBVoi5/AICMlDm1DgR -gG6bbOXGhLVPh+gHjGG4Jdd/ZLedncUsjW9KyK261sqM3tSDSfgnF99w2/32ToFu -ChN8JOfQ6VZ7QbL1BWRtQWZ3tyauUUXmsrYDv1w1nx51MqxQdlitnmTRWaRW0GmD -b5XapJfSK+FiGXaynl3HHxHHpcUauX9zBa/LRp8oXiGPLfJEWmjWcGCyGZawASj3 -pTTJUnbkYs0fUyUXAAQND/42mh8f3mTA+24I3lY4K8mxH9GSFgOkLoYwok8xL5Md -OUJAyvs34ixqvM2u560YJkegEO/xzg2abddfoqL8eNnjfvG3bI7KOCT+m+mM/5Cg -ul8XFSnHIEivuOXNtc/x/dwYSidKM8atkdpKtv++psd6hVbJQMfLlzf0S2QyiaGk -yXur/pM3A97lvkjAgvIKQt8NbJ/sITFlrN2TFxcbE8OED7LC4nBo54TJ1AxVsHlT -LB5XPKU8pBv0fABZrNKxf6a2iXx9jT9sSYdnb0y+hBjnoWZUNbhxo6jpAqt1quUy -buGWugvG8J75JvT6X+lwEEkg1lplmm+HuaFtegOqTUTKmffKduY+E00le+3Kh8gW -bLR8P1qp/xnxQxZJYcQ+mT4QsYpj6Pkcj0ON3NQO5wP6dr2UGhGcSzS2Cxv8TERN -7HSdFbFXQWPCekx+i7OjeRSY/XTUf2zYquPNP2oU0MjgnXhnkHq+6EaQPpM59fMd -MyLeOiUMOxpPOkeaAC8Ku0Oj2aZU/eyizuBDnhq1PAxBprSW5SSkxP4kz9BnA42x -tkMKMzzPohdfMIRI6zSu0chr76w2UeoViSsMtmWnR6qAXbQvzR+HHxhhB/Rzp6Gc -u9gybrv58IBkybn5ztST6NqgIgcQ/E7XIsB0Eooohfw+QiPlCdoghSxspbzwqcEZ -B4hPBBgRAgAPBQJGv5h3AhsMBQkSzAMAAAoJENyFNB9sYZHjUh0AnA3u5TNYHGLQ -DXLPP0qWHkTeOz8dAJ4wkrLBTaXz3CPCjoTdoBiQsNt3fw== -=nK43 ------END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/spamassassin-3.4.2-fix-CVE-2019-12420.patch b/SOURCES/spamassassin-3.4.2-fix-CVE-2019-12420.patch new file mode 100644 index 0000000..4c55b23 --- /dev/null +++ b/SOURCES/spamassassin-3.4.2-fix-CVE-2019-12420.patch @@ -0,0 +1,25 @@ +diff -urp Mail-SpamAssassin-3.4.2/lib/Mail/SpamAssassin/Message.pm Mail-SpamAssassin-3.4.2.new/lib/Mail/SpamAssassin/Message.pm +--- Mail-SpamAssassin-3.4.2/lib/Mail/SpamAssassin/Message.pm 2018-09-14 03:27:51.000000000 +0200 ++++ Mail-SpamAssassin-3.4.2.new/lib/Mail/SpamAssassin/Message.pm 2020-04-09 15:17:34.300986337 +0200 +@@ -876,6 +876,7 @@ sub _parse_multipart { + my $header; + my $part_array; + my $found_end_boundary; ++ my $partcnt = 0; + + my $line_count = @{$body}; + foreach ( @{$body} ) { +@@ -948,6 +949,13 @@ sub _parse_multipart { + } + } + ++ # Maximum parts to process ++ if (++$partcnt == 1000) { ++ dbg("message: mimepart limit exceeded, stopping parsing"); ++ $self->{'mimepart_limit_exceeded'} = 1; ++ return; ++ } ++ + # make sure we start with a new clean node + $in_body = 0; + $part_msg = Mail::SpamAssassin::Message::Node->new({ normalize=>$self->{normalize} }); diff --git a/SPECS/spamassassin.spec b/SPECS/spamassassin.spec index aa26a44..be1a3e4 100644 --- a/SPECS/spamassassin.spec +++ b/SPECS/spamassassin.spec @@ -60,7 +60,7 @@ Summary: Spam filter for email which can be invoked from mail delivery agents Name: spamassassin Version: 3.4.2 #Release: 0.8.%%{prerev}%%{?dist} -Release: 7%{?dist} +Release: 9%{?dist} License: ASL 2.0 Group: Applications/Internet URL: https://spamassassin.apache.org/ @@ -78,7 +78,6 @@ Source8: sa-update.cronscript Source9: sa-update.force-sysconfig Source10: spamassassin-helper.sh Source11: spamassassin-official.conf -Source12: sought.conf Source13: README.RHEL.Fedora %if %{use_systemd} Source14: spamassassin.service @@ -100,6 +99,7 @@ Patch3: 0001-Drop-the-ResourceLimits-plugin.patch Patch100: spamassassin-3.4.2-fix-use-after-free.patch Patch101: spamassassin-3.4.2-fix-file-handle-leaks.patch Patch102: spamassassin-3.4.2-fix-rawbody-rules-documentation.patch +Patch103: spamassassin-3.4.2-fix-CVE-2019-12420.patch # end of patches @@ -212,6 +212,7 @@ rm -f lib/Mail/SpamAssassin/Plugin/ResourceLimits.pm %patch100 -p1 %patch101 -p1 %patch102 -p1 +%patch103 -p1 # end of patches @@ -295,7 +296,6 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/spamassassin mkdir -m 0700 $RPM_BUILD_ROOT%{_sysconfdir}/mail/spamassassin/sa-update-keys/ mkdir -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/mail/spamassassin/channel.d/ install -m 0644 %{SOURCE11} $RPM_BUILD_ROOT%{_sysconfdir}/mail/spamassassin/channel.d/ -install -m 0644 %{SOURCE12} $RPM_BUILD_ROOT%{_sysconfdir}/mail/spamassassin/channel.d/ install -m 0644 %{SOURCE13} $RPM_BUILD_DIR/Mail-SpamAssassin-%{version}/ %if %{razor_deps} @@ -396,6 +396,14 @@ exit 0 %endif %changelog +* Thu Apr 09 2020 Ondřej Lysoněk - 3.4.2-9 +- Fix CVE-2019-12420 +- Resolves: rhbz#1812977 + +* Wed Mar 18 2020 Ondřej Lysoněk - 3.4.2-8 +- Removed the obsolete SOUGHT channel for rule updates +- Resolves: rhbz#1630362 + * Tue Oct 01 2019 Ondřej Lysoněk - 3.4.2-7 - Fix rawbody rules documentation - Resolves: rhbz#1639251