Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#912198; Package release.debian.org.
(Mon, 29 Oct 2018 06:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 29 Oct 2018 06:15:04 GMT) (full text, mbox, link).
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Upstream released spamassassin 3.4.2 last month including fixes for
several security issues. Unfortunately, upstream developers have
indicated that the would not recommend, nor would they support, efforts
to backport these fixes to 3.4.1. In an apparent attempt at keeping the
details of the issues private while they worked on them, they did not
indicate which bugs were fixed with specific commits, and have indicated
that the fixes have been spread across many commits, many of which may
be relative to additional changes not in 3.4.1. The specifics of the
issues, and their repros (if any) have not been made public.
After discussions with upstream and with the security team, we decided
that the best course of action would be to forgo a DSA for these issues,
but otherwise accept upstream's recommendation and update to 3.4.2 in
stretch via p-u. In addition to the security issues fixed in 3.4.2, it
also switches from sha1 to sha256 and/or sha512 for validation of rule
updates downloaded by sa-update, which is a change we'll need if we want
sa-update to keep working when they stop publishing sha1 signatures at
some point in the next several months.
I have prepared an upload for stretch that is a backport of the 3.4.2-1
package currently in testing. The changelog entries from 3.4.1-6 to
3.4.2-1~deb9u1 are below. Note that stretch currently contains
3.4.1-6+deb9u1. The changes in that version are included in the 3.4.1-7
entry in the backport.
The debdiff for the debian/ subdirectory is attached. I pruned the
upstream changes, since they result in a large diff, but can provide
them if you want.
spamassassin (3.4.2-1~deb9u1) stretch; urgency=high
* New upstream release fixes multiple security vulnerabilities
- CVE-2017-15705: Denial of service issue in which certain unclosed
tags in emails cause markup to be handled incorrectly leading to
scan timeouts. (Closes: 908969)
- CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
script.
- CVE-2018-11780: potential Remote Code Execution bug with the
PDFInfo plugin. (Closes: 908970)
- CVE-2018-11781: local user code injection in the meta rule syntax.
(Closes: 908971)
- BayesStore: bayes_expire table grows, remove_running_expire_tok not
called (Closes: 883775)
- Fix use of uninitialized variable warning in PDFInfo.pm
(Closes: 865924)
- Fix "failed to parse plugin" error in
Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
* Don't recursively chown /var/lib/spamassassin during postinst.
(Closes: 889501)
* Reload spamd after compiling rules in sa-compile.postinst.
* Update SysV init script to cope with upstream's change to $0.
* Remove compiled rules upon removal of the sa-compile package.
* Ensure that /var/lib/spamassassin/compiled doesn't change modes with
the cron job's execution. (Closes: 890650)
* Create /var/lib/spamassassin via dpkg, rather than the postinst.
(Closes: 891833)
* Add libbsd-resource-perl to Suggests (Closes: 910434)
-- Noah Meyerhans <noahm@debian.org> Sun, 30 Sep 2018 23:44:58 -0700
spamassassin (3.4.1-8) unstable; urgency=medium
* Fix inappropriate invocation of invoke-rc.d in cron script.
(Closes: 865514)
* Update systemd unit dependencies to include network and syslog.
(Closes: 864810)
* Migrate packaging to git, finally.
* Apply upstream patch to fix regex error leading to warnings in perl
5.26+ (Closes: 869408)
* Add Multi-Arch: foreign headers to package definitions (Closes:
#850454)
* Update standards version to 4.1.0.0
* Remove references to the obsolete syslog.target dependency in the
systemd service file.
* Clarify the use of the perl-major-upgrade dpkg trigger.
* Fix spamd service management on package upgrades. (Closes: #865356)
-- Noah Meyerhans <noahm@debian.org> Sat, 09 Sep 2017 22:37:20 -0700
spamassassin (3.4.1-7) unstable; urgency=medium
* Ensure that spamd doesn't automatically start upon initial
installation.
* Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as
it requires users to register. (Closes: #861671)
* Update the systemd unit file to use the same pid file as was
used in the sysvinit script. (Closes: #808804)
* Update spamassassin docs to remove outdated gpg version
compatibility note. (Closes: #853913)
-- Noah Meyerhans <noahm@debian.org> Thu, 11 May 2017 19:45:36 -0700
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#912198; Package release.debian.org.
(Mon, 29 Oct 2018 19:18:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 29 Oct 2018 19:18:07 GMT) (full text, mbox, link).
Control: tags -1 + moreinfo
On Sun, 2018-10-28 at 23:11 -0700, Noah Meyerhans wrote:
> I have prepared an upload for stretch that is a backport of the
> 3.4.2-1 package currently in testing. The changelog entries from
> 3.4.1-6 to 3.4.2-1~deb9u1 are below. Note that stretch currently
> contains 3.4.1-6+deb9u1. The changes in that version are included in
> the 3.4.1-7 entry in the backport.
>
> The debdiff for the debian/ subdirectory is attached. I pruned the
> upstream changes, since they result in a large diff, but can provide
> them if you want.
Yes, please.
> * Add Multi-Arch: foreign headers to package definitions (Closes:
> #850454)
From an initial look through the changes, this is one we wouldn't
usually include in a stable update. (It's not m-a:same at least, but
I'm not convinced we want to be changing m-a headers in stable in
general, unless they can be shown to fix specific issues, usually in
the upgrade path.)
Regards,
Adam
Added tag(s) moreinfo.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 912198-submit@bugs.debian.org.
(Mon, 29 Oct 2018 19:18:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#912198; Package release.debian.org.
(Tue, 30 Oct 2018 03:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 30 Oct 2018 03:33:04 GMT) (full text, mbox, link).
On Mon, Oct 29, 2018 at 07:16:18PM +0000, Adam D. Barratt wrote:
> > I have prepared an upload for stretch that is a backport of the
> > 3.4.2-1 package currently in testing. The changelog entries from
> > 3.4.1-6 to 3.4.2-1~deb9u1 are below. Note that stretch currently
> > contains 3.4.1-6+deb9u1. The changes in that version are included in
> > the 3.4.1-7 entry in the backport.
> >
> > The debdiff for the debian/ subdirectory is attached. I pruned the
> > upstream changes, since they result in a large diff, but can provide
> > them if you want.
>
> Yes, please.
See attached.
> > * Add Multi-Arch: foreign headers to package definitions (Closes:
> > #850454)
>
> >From an initial look through the changes, this is one we wouldn't
> usually include in a stable update. (It's not m-a:same at least, but
> I'm not convinced we want to be changing m-a headers in stable in
> general, unless they can be shown to fix specific issues, usually in
> the upgrade path.)
No problem. I have reverted that change. This is reflected in the
updated debdiff.
Thanks.
noah
Removed tag(s) moreinfo.
Request was from Noah Meyerhans <noahm@debian.org>
to control@bugs.debian.org.
(Tue, 30 Oct 2018 14:54:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#912198; Package release.debian.org.
(Wed, 31 Oct 2018 22:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Wed, 31 Oct 2018 22:03:03 GMT) (full text, mbox, link).
Control: tags -1 + confirmed
On Mon, 2018-10-29 at 20:28 -0700, Noah Meyerhans wrote:
> On Mon, Oct 29, 2018 at 07:16:18PM +0000, Adam D. Barratt wrote:
> > > I have prepared an upload for stretch that is a backport of the
> > > 3.4.2-1 package currently in testing. The changelog entries from
> > > 3.4.1-6 to 3.4.2-1~deb9u1 are below. Note that stretch currently
> > > contains 3.4.1-6+deb9u1. The changes in that version are included
> > > in
> > > the 3.4.1-7 entry in the backport.
> > >
> > > The debdiff for the debian/ subdirectory is attached. I pruned
> > > the
> > > upstream changes, since they result in a large diff, but can
> > > provide
> > > them if you want.
> >
> > Yes, please.
>
> See attached.
Thanks.
Please feel free to upload, bearing in mind that the window for getting
updates into the 9.6 point release closes during this weekend.
Regards,
Adam
Added tag(s) confirmed.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 912198-submit@bugs.debian.org.
(Wed, 31 Oct 2018 22:03:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#912198; Package release.debian.org.
(Thu, 01 Nov 2018 03:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Thu, 01 Nov 2018 03:42:02 GMT) (full text, mbox, link).
On Wed, Oct 31, 2018 at 10:01:13PM +0000, Adam D. Barratt wrote:
> Please feel free to upload, bearing in mind that the window for getting
> updates into the 9.6 point release closes during this weekend.
Uploaded. Thanks.
noah
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#912198; Package release.debian.org.
(Thu, 01 Nov 2018 19:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Thu, 01 Nov 2018 19:57:11 GMT) (full text, mbox, link).
Subject: spamassassin 3.4.2-1~deb9u1 flagged for acceptance
Date: Thu, 01 Nov 2018 19:54:37 +0000
Control: tags -1 + pending
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch.
Thanks for your contribution!
Upload details
==============
Package: spamassassin
Version: 3.4.2-1~deb9u1
Explanation: new upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of "." in @INC [CVE-2016-1238]; fix spamd service management on package upgrades
Added tag(s) pending.
Request was from Adam D Barratt <adam@adam-barratt.org.uk>
to 912198-submit@bugs.debian.org.
(Thu, 01 Nov 2018 19:57:11 GMT) (full text, mbox, link).
Message sent on
to Noah Meyerhans <noahm@debian.org>:
Bug#912198.
(Thu, 01 Nov 2018 19:57:54 GMT) (full text, mbox, link).
Reply sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility.
(Sat, 10 Nov 2018 10:47:42 GMT) (full text, mbox, link).
Notification sent
to Noah Meyerhans <noahm@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Nov 2018 10:47:43 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.