Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1629474
Summary: | Possible vulnerable for CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Frank Büttner <bugzilla> |
Component: | spamassassin | Assignee: | Ondřej Lysoněk <olysonek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-daemons |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.5 | CC: | grenier, jh.redhat-2018, olysonek, phil.randal, shiva, simon.matter, smokris |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | spamassassin-3.4.0-3.el7_5 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-12 08:55:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Frank Büttner
2018-09-16 17:06:29 UTC
Duplicate of bug 1629491. The impact of the CVEs on RHEL-7 is currently being investigated. From the release notes: "However, there is one specific pressing reason to upgrade. Specifically, we will stop producing SHA-1 signatures for rule updates. This means that while we produce rule updates with the focus on them working for any release from v3.3.2 forward, they will start failing SHA-1 validation for sa-update. *** If you do not update to 3.4.2, you will be stuck at the last ruleset with SHA-1 signatures in the near future. ***" (In reply to Phil Randal from comment #4) > From the release notes: > > "However, there is one specific pressing reason to upgrade. Specifically, we > will stop producing SHA-1 signatures for rule updates. This means that > while we produce rule updates with the focus on them working for any release > from > v3.3.2 forward, they will start failing SHA-1 validation for sa-update. > > *** If you do not update to 3.4.2, you will be stuck at the last ruleset > with SHA-1 signatures in the near future. ***" Rebase of spamassassin is being tracked here: https://bugzilla.redhat.com/show_bug.cgi?id=1479087 |