ALAS-2020-1341


Amazon Linux AMI Security Advisory: ALAS-2020-1341
Advisory Release Date: 2020-02-07 18:02 Pacific
Severity: Medium

Issue Overview:

In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420 )

In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805 )


Affected Packages:

spamassassin


Issue Correction:
Run yum update spamassassin to update your system.

New Packages:
i686:
    spamassassin-3.4.3-2.2.amzn1.i686
    spamassassin-debuginfo-3.4.3-2.2.amzn1.i686

src:
    spamassassin-3.4.3-2.2.amzn1.src

x86_64:
    spamassassin-3.4.3-2.2.amzn1.x86_64
    spamassassin-debuginfo-3.4.3-2.2.amzn1.x86_64