CVE-2020-1946 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary command execution
Description	In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to pamAssassin version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1731	spamassassin	3.4.4-3	3.4.5-1	High	Fixed

References
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C241c47dc-467f-c622-c8ab-e06df159b475%40apache.org%3E https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7793 https://svn.apache.org/viewvc?view=revision&revision=1876381

References

https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C241c47dc-467f-c622-c8ab-e06df159b475%40apache.org%3E
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7793
https://svn.apache.org/viewvc?view=revision&revision=1876381