oss-sec mailing list archives

Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

From: Reindl Harald <h.reindl () thelounge net>
Date: Sun, 16 Sep 2018 23:29:27 +0200



Am 16.09.18 um 23:11 schrieb Kevin A. McGrail:

Per the asf security team, mitre considers the public rc1 from a few
days ago as the start of the clock for the publishing so we were already
way past the 24 hour windiw.


again: i doubt that distributions push updates *NOW* because most
maintainers are not ware of the release nor do the expecit it at all
given how long we hear about 3.4.2 with no other official bugfix
releases for years

bad guys typically watch better than anyone else

Hopefully, the announcements and reports are obfuscated and bugzilla ia
private so it'll be contained.

On Sun, Sep 16, 2018, 16:59 Reindl Harald <h.reindl () thelounge net
<mailto:h.reindl () thelounge net>> wrote:

    i doubt that it is wiese to blwo out security notes *that short* after
    release and *that long* after the last release

Current thread:

[SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 Kevin A. McGrail (Sep 16)
- Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 Reindl Harald (Sep 17)
  - Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 Kevin A. McGrail (Sep 17)
    - Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 Reindl Harald (Sep 17)
    - Re: Re: [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 Leo Famulari (Sep 17)