SpamAssassin: Execute arbitrary code/commands - Remote/unauthenticated

===========================================================================
                         ZMCIRT Vulnerability Bulletin

                            ZMC-2021.04.13.0508
      SpamAssassin: Execute arbitrary code/commands - Remote/unauthenticated
                               13th April 2021

===========================================================================

        ZMCIRT Security Bulletin Summary
        ---------------------------------
        
        Product:           SpamAssassin
        Publisher:         Ubuntu
        Operating System:  Ubuntu
        Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
        Resolution:        Patch/Upgrade
        CVE Names:         CVE-2020-1946  
        
        Reference:         ESB-2021.1136
                           ESB-2021.1124
        
        Original Bulletin: 
           https://ubuntu.com/security/notices/USN-4899-2
        
        - --------------------------BEGIN INCLUDED TEXT--------------------
        
        USN-4899-2: SpamAssassin vulnerability
        12 April 2021
        
        SpamAssassin could be made to run programs if it opened a specially crafted
        file.
        Releases
        
          o Ubuntu 14.04 ESM
        
        Packages
        
          o spamassassin - Perl-based spam filter using text analysis
        
        Details
        
        USN-4899-1 fixed a vulnerability in SpamAssassin. This update provides
        the corresponding update for Ubuntu 14.04 ESM.
        
        Original advisory details:
        
        Damian Lukowski discovered that SpamAssassin incorrectly handled certain CF
        files. If a user or automated system were tricked into using a specially-
        crafted CF file, a remote attacker could possibly run arbitrary code.
        
        Update instructions
        
        The problem can be corrected by updating your system to the following package
        versions:
        
        Ubuntu 14.04
        
          o spamassassin - 3.4.2-0ubuntu0.14.04.1+esm3
        
        In general, a standard system update will make all the necessary changes.
        
        References
        
          o CVE-2020-1946
        
        Related notices
        
          o USN-4899-1 : spamassassin
        

        

ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: incidents@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================