Amazon Linux 1 Security Advisory: ALAS-2020-1341
Advisory Release Date: 2020-02-04 22:46 Pacific
Advisory Updated Date: 2020-02-07 18:02 Pacific
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420)
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805)
Affected Packages:
spamassassin
Issue Correction:
Run yum update spamassassin to update your system.
i686:
spamassassin-3.4.3-2.2.amzn1.i686
spamassassin-debuginfo-3.4.3-2.2.amzn1.i686
src:
spamassassin-3.4.3-2.2.amzn1.src
x86_64:
spamassassin-3.4.3-2.2.amzn1.x86_64
spamassassin-debuginfo-3.4.3-2.2.amzn1.x86_64