CVE-2019-12420

Name
CVE-2019-12420
Description
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda91695c62041de@%3Cannounce.apache.org%3E
Permissions Required https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7747
Mailing List https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
Mailing List http://www.openwall.com/lists/oss-security/2019/12/12/2
Mailing List https://lists.apache.org/thread.html/e3c2367351286b77a74a082e2b66b793cceefa7b6ea9dcd162db4c4b@%3Cdev.spamassassin.apache.org%3E
Mailing List https://lists.apache.org/thread.html/5ef362d6da12126fafc81443309ca95d872d1bfd011fe4b2699f0fe9@%3Cusers.spamassassin.apache.org%3E
Mailing List https://lists.apache.org/thread.html/64cf76749956dd08f7d5b86ec9f3321f382cfd7fe717ccd1be940c92@%3Cannounce.spamassassin.apache.org%3E
Third Party Advisory https://www.debian.org/security/2019/dsa-4584
Mailing List https://seclists.org/bugtraq/2019/Dec/27
Mailing List https://lists.debian.org/debian-lts-announce/2019/12/msg00019.html
UBUNTU https://usn.ubuntu.com/4237-1/
UBUNTU https://usn.ubuntu.com/4237-2/
MLIST https://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044c887bdebb75e74@%3Cusers.spamassassin.apache.org%3E
MLIST https://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34a1641840d8146f@%3Cusers.spamassassin.apache.org%3E

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:* spamassassin >= None < 3.4.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
spamassassin edge-main 3.4.3-r0 None fixed
spamassassin edge-main 3.4.2-r0 None possibly vulnerable
spamassassin 3.22-main 3.4.3-r0 None fixed
spamassassin 3.22-main 3.4.2-r0 None possibly vulnerable
spamassassin 3.21-main 3.4.3-r0 None fixed
spamassassin 3.21-main 3.4.2-r0 None possibly vulnerable
spamassassin 3.20-main 3.4.3-r0 None fixed
spamassassin 3.20-main 3.4.2-r0 None possibly vulnerable
spamassassin 3.19-main 3.4.3-r0 None fixed
spamassassin 3.19-main 3.4.2-r0 None possibly vulnerable
spamassassin 3.18-main 3.4.3-r0 None fixed
spamassassin 3.17-main 3.4.3-r0 None fixed
spamassassin 3.12-main 3.4.3-r0 None fixed
spamassassin 3.11-main 3.4.3-r0 None fixed
spamassassin 3.10-main 3.4.3-r0 None fixed