Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2062-1 sa-exim

Debian Security Advisory

DLA-2062-1 sa-exim -- LTS security update

Date Reported:

09 Jan 2020

Affected Packages:

sa-exim

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 946829.
In Mitre's CVE dictionary: CVE-2019-19920.

More information:

It was found that sa-exim, the SpamAssassin filter for Exim, allows attackers to execute arbitrary code if users are allowed to run custom rules. A similar issue was fixed in spamassassin, CVE-2018-11805, which caused a functional regression in sa-exim. This update restores the compatibility between spamassassin and sa-exim. The security implications of sa-exim's greylisting function are also documented in /usr/share/doc/sa-exim/README.greylisting.gz.

For Debian 8 Jessie, this problem has been fixed in version 4.2.1-14+deb8u1.

We recommend that you upgrade your sa-exim packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS