SpamAssassin Security Vulnerability

rleiker · Post by **rleiker** » Tue Mar 30, 2021 7:10 pm

Hi Everyone,

I wanted to give you a heads-up on a security vulnerability in SpamAssassin that was publicly disclosed a couple of days ago. It scores a CVSS score of 9.8 out of 10, so it is significant: https://nvd.nist.gov/vuln/detail/CVE-2020-1946

Zimbra includes an integrated version of SpamAssassin (SA), so it will require a Zimbra patch from Synacor to properly fix. But, if you have external mail filtering gateways that sit in front of Zimbra that use SA, you will want to consider patching this vulnerability during your next earliest maintenance window. It was discussed on today's Zeta Alliance Call ( https://zetalliance.org/ ), and John Hurley, head of support at Zimbra, is going to bring this topic up in an internal meeting to discuss their response plan. I suspect Zimbra will need to do an out-of-band patch in early April to mitigate this vulnerability since 9.0 Patch 13 and 8.8.15 Patch 20 are scheduled to be released around mid-week, so there will not be enough time to include this fix in these finalized patches.

In brief, a security researcher discovered that versions of SA prior to 3.4.5 trusts filtering rules (.cf files) too much, thereby allowing an attacker to insert rules for distribution to SA users that will execute system commands without indication that an exploit has taken place. It is essentially a supply chain attack similar to what has been widely reported in the media with the evolving Solar Winds incident and the proof of concept attacks involving the npm & PyPi repos ( https://arstechnica.com/gadgets/2021/03 ... us-attack/ ). In the days since the public disclosure of this vulnerability, attackers are likely hard at work identifying commonly used SA rule repos that they can alter in an attempt to carry out widespread breaches.

As a temporary mitigation, if you do not have the ability to patch SA on your external mail gateways, or while awaiting a patch for the vulnerability from Zimbra, you could temporarily disable SA rule updates. In Zimbra SA updates can be disabled using the "antispam_enable_rule_updates" parameter detailed here: https://wiki.zimbra.com/wiki/Anti-spam_Strategies . Of course, this comes with the downside of potentially reducing the effectiveness of SA as new spamming campaigns appear.

Randy Leiker
Skyway Networks, LLC

zmcontrol · Post by **zmcontrol** » Fri Apr 09, 2021 7:39 pm

rleiker,

Thanks for the heads up.
The latest update for zimbra-perl-mail-spamassassin is now 3.4.5

amavis[5206]: initializing Mail::SpamAssassin (0)
amavis[5206]: Module Mail::SpamAssassin 3.004005

JDunphy · Post by **JDunphy** » Sat Apr 10, 2021 8:34 pm

Sigh. zimbra's SA 3.4.5 update will break rule updates via zmsaupdate. At least on our test system I installed last night. Guess I better see if they slipped another one past me in the repositories... nope. I am up2date!

Observe after 24 hours:

Code: Select all

# su - zimbra
% ls /opt/zimbra/data/spamassassin/state
3.004000  3.004001  3.004004
% spamassassin -V
SpamAssassin version 3.4.5
  running on Perl version 5.10.1
% /opt/zimbra/common/bin/sa-update -v --refreshmirrors
% ls /opt/zimbra/data/spamassassin/state
3.004000  3.004001  3.004004  3.004005
% crontab -l |grep zmsaupdate
45 0 * * * . /opt/zimbra/.bashrc; /opt/zimbra/libexec/zmsaupdate

Fix...

update /opt/zimbra/libexec/zmsaupdate and change this hard coded line from:

Code: Select all

my $sa="/opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors >/dev/null 2>&1";

to either of these options:

Code: Select all

my $sa="/opt/zimbra/common/bin/sa-update -v --refreshmirrors >/dev/null 2>&1";
or
my $sa="/opt/zimbra/common/bin/sa-update -v --reallyallowplugins --refreshmirrors >/dev/null 2>&1";

Maybe hold off reporting this until SA 3.4.6 is out which is rushed out to fix a regression bug introduced in SA 3.4.5

Jim

Klug · Post by **Klug** » Sun Apr 11, 2021 8:34 am

Confirmed on CentOS6 and Ubuntu 18.05 (with last 8.8.15-P20).

jjakob · Post by **jjakob** » Mon Apr 12, 2021 10:44 am

They seem to have updated just the "zimbra-mta-components zimbra-mta-patch zimbra-perl-mail-spamassassin zimbra-spamassassin-rules" packages (Ubuntu 16.04LTS) without releasing a new zimbra-patch. (zimbra-perl-mail-spamassassin is at 3.4.5-1zimbra8.8b3.16.04 now). I thought the practice was to only release patches? Maybe us FOSS users are now downgraded to being beta testers, on a "rolling" release cycle, with the stable patches only getting shipped to NE customers? 2 weeks ago they re-released patch20 which is surprising as well. Why not make it P21? Now there are two P20's.

rleiker · Post by **rleiker** » Mon Apr 12, 2021 6:56 pm

jjakob wrote:They seem to have updated just the "zimbra-mta-components zimbra-mta-patch zimbra-perl-mail-spamassassin zimbra-spamassassin-rules" packages (Ubuntu 16.04LTS) without releasing a new zimbra-patch. (zimbra-perl-mail-spamassassin is at 3.4.5-1zimbra8.8b3.16.04 now). I thought the practice was to only release patches? Maybe us FOSS users are now downgraded to being beta testers, on a "rolling" release cycle, with the stable patches only getting shipped to NE customers? 2 weeks ago they re-released patch20 which is surprising as well. Why not make it P21? Now there are two P20's.

On Zimbra Net Edition, I can confirm that a revised P20 was not released for the SpamAssassin vulnerability. Instead it appears it was more of a hot fix included in these packages:

zimbra-mta-components: 1.0.12-1
zimbra-mta-patch: 8.8.15.1617770195.p20-1.r7
zimbra-perl-mail-spamassassin: 3.4.5-1
zimbra-spamassassin-rules: 1.0.0-1

To Zimbra's credit, the dev team was very responsive with rapidly updating the embedded version of SpamAssassin posted to the repos shortly after I notified them of the vulnerability. This rapid response is why you likely did not see this included in P21, which would have delayed this critical security fix by at least a month to allow time for it to go through the normal quality assurance process.

As far as I have heard, Zimbra provided the same P20 version to both the FOSS & Net Edition versions, with the main difference being that P20 for the FOSS version does not include the licensed bits of Zimbra. The reason that another version of P20 was released in the repos about 3 days after the initial version, was to address an issue that JDunphy identified in this post: viewtopic.php?f=13&t=69414 . The revised P20 version also addressed a separate issue discovered that affected dual stack (IPv4 and IPv6) Zimbra servers (viewtopic.php?f=13&t=69412). Zimbra has updated their release notes page (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20) to alert everyone to the revised 8.8.15 P20 and 9.0 P13 revisions.

Randy Leiker
Skyway Networks, LLC

milauria · Post by **milauria** » Sun Apr 25, 2021 2:36 am

Hello,
since patch update 8.8.15 P20 on a Centos7 server I get consistently the error:

Code: Select all

[zimbra@mail root]$ /opt/zimbra/libexec/zmsaupdate
zmsaupdate: Error code downloading update: 2

I have tried to refresh the mirrors:

Code: Select all

[zimbra@mail root]$ /opt/zimbra/common/bin/sa-update -v --refreshmirrors
Update finished, no fresh updates were available

My SA version:

Code: Select all

[zimbra@mail root]$ spamassassin -V
SpamAssassin version 3.4.5
  running on Perl version 5.16.3

If I run "sa-update -D"
I get "updates complete, exiting with code 1"

== Solution ==
I edited the file with the modification suggested above and the error has gone away ...

Code: Select all

my $sa="/opt/zimbra/common/bin/sa-update -v --refreshmirrors >/dev/null 2>&1";

Should we wait for an update to v 3.4.6 from Zimbra now that it has been officially released ?

milauria · Post by **milauria** » Mon Apr 26, 2021 1:25 am

I take it back, today I got still issue with refreshing mirrors, I did some debugging as below.
any hints form the debug below? Everything was working fine before the spamassassin update deployed by Zimbra ...
Many thanks

Code: Select all

[zimbra@mail root]$ sa-update --refreshmirrors -vvvvv -D 
Apr 26 03:16:17.047 [20342] dbg: logger: adding facilities: all
Apr 26 03:16:17.047 [20342] dbg: logger: logging level is DBG
Apr 26 03:16:17.047 [20342] dbg: generic: SpamAssassin version 3.4.5
Apr 26 03:16:17.047 [20342] dbg: generic: Perl 5.016003, PREFIX=/opt/zimbra/common, DEF_RULES_DIR=/opt/zimbra/data/spamassassin/rules, LOCAL_RULES_DIR=/opt/zimbra/data/spamassassin/localrules, LOCAL_STATE_DIR=/opt/zimbra/data/spamassassin/state
Apr 26 03:16:17.047 [20342] dbg: config: timing enabled
Apr 26 03:16:17.048 [20342] dbg: config: score set 0 chosen.
Apr 26 03:16:17.050 [20342] dbg: generic: sa-update version 3.4.5 / svn1881784
Apr 26 03:16:17.050 [20342] dbg: generic: using update directory: /opt/zimbra/data/spamassassin/state/3.004005
Apr 26 03:16:17.146 [20342] dbg: diag: perl platform: 5.016003 linux
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: Digest::SHA, version 5.85
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: HTML::Parser, version 3.71
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: Net::DNS, version 1.04
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: NetAddr::IP, version 4.078
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: Time::HiRes, version 1.9725
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: Archive::Tar, version 1.92
Apr 26 03:16:17.146 [20342] dbg: diag: [...] module installed: IO::Zlib, version 1.10
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Digest::SHA1, version 2.13
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: MIME::Base64, version 3.13
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: DB_File, version 1.835
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Net::SMTP, version 2.31
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Mail::SPF, version v2.009
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: GeoIP2::Database::Reader ('require' failed)
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: Geo::IP ('require' failed)
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: IP::Country::DB_File ('require' failed)
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Net::CIDR::Lite, version 0.21
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: Razor2::Client::Agent ('require' failed)
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: IO::Socket::IP, version 0.37
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: IO::Socket::INET6, version 2.72
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: IO::Socket::SSL, version 2.068
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Compress::Zlib, version 2.069
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Mail::DKIM, version 0.4
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: DBI, version 1.634
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Getopt::Long, version 2.4
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: LWP::UserAgent, version 6.13
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: HTTP::Date, version 6.02
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Encode::Detect::Detector, version 1.01
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: Net::Patricia ('require' failed)
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Net::DNS::Nameserver, version 1406
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: BSD::Resource ('require' failed)
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module installed: Archive::Zip, version 1.53
Apr 26 03:16:17.146 [20342] dbg: diag: [...] optional module not installed: IO::String ('require' failed)
Apr 26 03:16:17.148 [20342] dbg: gpg: Searching for 'gpg'
Apr 26 03:16:17.148 [20342] dbg: util: current PATH is: /opt/zimbra/bin:/opt/zimbra/common/lib/jvm/java/bin:/opt/zimbra/common/bin:/opt/zimbra/common/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Apr 26 03:16:17.148 [20342] dbg: util: executable for gpg was found at /usr/bin/gpg
Apr 26 03:16:17.148 [20342] dbg: gpg: found /usr/bin/gpg
Apr 26 03:16:17.148 [20342] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 0C2B1D7175B852C64B3CDC716C55397824F434CE
Apr 26 03:16:17.148 [20342] dbg: util: secure_tmpfile created a temporary file /tmp/.spamassassin203421PltCutmp
Apr 26 03:16:17.148 [20342] dbg: channel: attempting channel updates.spamassassin.org
Apr 26 03:16:17.148 [20342] dbg: channel: using existing directory /opt/zimbra/data/spamassassin/state/3.004005/updates_spamassassin_org
Apr 26 03:16:17.148 [20342] dbg: channel: channel cf file /opt/zimbra/data/spamassassin/state/3.004005/updates_spamassassin_org.cf
Apr 26 03:16:17.149 [20342] dbg: channel: channel pre file /opt/zimbra/data/spamassassin/state/3.004005/updates_spamassassin_org.pre
Apr 26 03:16:17.149 [20342] dbg: channel: metadata version = 1889123, from file /opt/zimbra/data/spamassassin/state/3.004005/updates_spamassassin_org.cf
DNS TXT query: 5.4.3.updates.spamassassin.org -> 1889140
Apr 26 03:16:17.172 [20342] dbg: dns: 5.4.3.updates.spamassassin.org => 1889140, parsed as 1889140
Update available for channel updates.spamassassin.org: 1889123 -> 1889140
Apr 26 03:16:17.172 [20342] dbg: channel: preparing temp directory for new channel
Apr 26 03:16:17.173 [20342] dbg: channel: created tmp directory /tmp/.spamassassin203426c8elOtmp
Apr 26 03:16:17.173 [20342] dbg: generic: lint checking site pre files once before attempting channel updates
Apr 26 03:16:17.173 [20342] dbg: generic: SpamAssassin version 3.4.5
Apr 26 03:16:17.173 [20342] dbg: generic: Perl 5.016003, PREFIX=/opt/zimbra/common, DEF_RULES_DIR=/opt/zimbra/data/spamassassin/rules, LOCAL_RULES_DIR=/opt/zimbra/data/spamassassin/localrules, LOCAL_STATE_DIR=/opt/zimbra/data/spamassassin/state
Apr 26 03:16:17.173 [20342] dbg: config: timing enabled
Apr 26 03:16:17.173 [20342] dbg: config: score set 0 chosen.
Apr 26 03:16:17.174 [20342] dbg: ignore: using a test message to lint rules
Apr 26 03:16:17.174 [20342] dbg: config: using "/opt/zimbra/data/spamassassin/localrules" for site rules pre files
Apr 26 03:16:17.174 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/init.pre
Apr 26 03:16:17.174 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v310.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v312.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v320.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v330.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v340.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v341.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v342.pre
Apr 26 03:16:17.175 [20342] dbg: config: read file /opt/zimbra/data/spamassassin/localrules/v343.pre
Apr 26 03:16:17.175 [20342] dbg: config: using "/tmp/.spamassassin203426c8elOtmp/doesnotexist" for sys rules pre files
Apr 26 03:16:17.175 [20342] dbg: config: using "/tmp/.spamassassin203426c8elOtmp/doesnotexist" for default rules dir
Apr 26 03:16:17.176 [20342] dbg: config: mkdir /opt/zimbra/.spamassassin failed: mkdir /opt/zimbra/.spamassassin: Permission denied at /opt/zimbra/common/lib/perl5/Mail/SpamAssassin.pm line 1901.
Apr 26 03:16:17.176 [20342] dbg: config: using "/tmp/.spamassassin203426c8elOtmp/doesnotexist/doesnotexist" for user prefs file
Apr 26 03:16:17.176 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
Apr 26 03:16:17.179 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
Apr 26 03:16:17.182 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC
Apr 26 03:16:17.186 [20342] dbg: dcc: local tests only, disabling DCC
Apr 26 03:16:17.186 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC
Apr 26 03:16:17.188 [20342] dbg: pyzor: local tests only, disabling Pyzor
Apr 26 03:16:17.188 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
Apr 26 03:16:17.189 [20342] dbg: razor2: local tests only, skipping Razor
Apr 26 03:16:17.189 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
Apr 26 03:16:17.191 [20342] dbg: reporter: local tests only, disabling SpamCop
Apr 26 03:16:17.191 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC
Apr 26 03:16:17.192 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC
Apr 26 03:16:17.192 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC
Apr 26 03:16:17.193 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC
Apr 26 03:16:17.194 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC
Apr 26 03:16:17.198 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC
Apr 26 03:16:17.203 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC
Apr 26 03:16:17.203 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC
Apr 26 03:16:17.204 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC
Apr 26 03:16:17.216 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC
Apr 26 03:16:17.219 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC
Apr 26 03:16:17.222 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC
Apr 26 03:16:17.224 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC
Apr 26 03:16:17.228 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC
Apr 26 03:16:17.230 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC
Apr 26 03:16:17.232 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC
Apr 26 03:16:17.232 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC
Apr 26 03:16:17.234 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC
Apr 26 03:16:17.235 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::Rule2XSBody from @INC
Apr 26 03:16:17.237 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC
Apr 26 03:16:17.238 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::FreeMail from @INC
Apr 26 03:16:17.240 [20342] dbg: plugin: loading Mail::SpamAssassin::Plugin::AskDNS from @INC
Apr 26 03:16:17.243 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x35ea1d8) implements 'finish_parsing_start', priority 0
Apr 26 03:16:17.243 [20342] dbg: config: finish parsing
Apr 26 03:16:17.243 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x35ea1d8) implements 'finish_parsing_end', priority 0
Apr 26 03:16:17.244 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x3a30750) implements 'finish_parsing_end', priority 0
Apr 26 03:16:17.244 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::FreeMail=HASH(0x3aa7da0) implements 'finish_parsing_end', priority 0
Apr 26 03:16:17.244 [20342] dbg: replacetags: replacing tags
Apr 26 03:16:17.244 [20342] dbg: zoom: loading compiled ruleset from /opt/zimbra/data/spamassassin/state/compiled/5.016/3.004005
Apr 26 03:16:17.244 [20342] dbg: FreeMail: no freemail_domains entries defined, disabling plugin
Apr 26 03:16:17.244 [20342] dbg: config: score set 0 chosen.
Apr 26 03:16:17.245 [20342] dbg: dns: EDNS, UDP payload size 4096
Apr 26 03:16:17.245 [20342] dbg: dns: servers obtained from Net::DNS : [127.0.0.1]:53
Apr 26 03:16:17.245 [20342] dbg: dns: nameservers set to 127.0.0.1
Apr 26 03:16:17.245 [20342] dbg: dns: using socket module: IO::Socket::IP version 0.37
Apr 26 03:16:17.246 [20342] dbg: dns: is Net::DNS::Resolver available? yes
Apr 26 03:16:17.246 [20342] dbg: dns: Net::DNS version: 1.04
Apr 26 03:16:17.246 [20342] dbg: config: time limit 300.0 s
Apr 26 03:16:17.247 [20342] dbg: message: main message type: text/plain
Apr 26 03:16:17.248 [20342] dbg: message: ---- MIME PARSER START ----
Apr 26 03:16:17.248 [20342] dbg: message: parsing normal part
Apr 26 03:16:17.248 [20342] dbg: message: storing a body to memory
Apr 26 03:16:17.248 [20342] dbg: message: ---- MIME PARSER END ----
Apr 26 03:16:17.248 [20342] dbg: check: pms new, time limit in 299.998 s
Apr 26 03:16:17.249 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x387e418) implements 'check_start', priority 0
Apr 26 03:16:17.249 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x3a30750) implements 'check_start', priority 0
Apr 26 03:16:17.250 [20342] dbg: check: using scoreset 0 in M:S:Pms
Apr 26 03:16:17.250 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x35dacb8) implements 'check_main', priority 0
Apr 26 03:16:17.250 [20342] dbg: config: trusted_networks are not configured; it is recommended that you configure trusted_networks manually
Apr 26 03:16:17.251 [20342] dbg: metadata: X-Spam-Relays-Trusted: 
Apr 26 03:16:17.251 [20342] dbg: metadata: X-Spam-Relays-Untrusted: 
Apr 26 03:16:17.251 [20342] dbg: metadata: X-Spam-Relays-Internal: 
Apr 26 03:16:17.251 [20342] dbg: metadata: X-Spam-Relays-External: 
Apr 26 03:16:17.251 [20342] dbg: check: tagrun - tag AUTHORDOMAIN is now ready, value: compiling.spamassassin.taint.org
Apr 26 03:16:17.251 [20342] dbg: check: tagrun - tag RELAYSTRUSTED is now ready, value: 
Apr 26 03:16:17.251 [20342] dbg: check: tagrun - tag RELAYSUNTRUSTED is now ready, value: 
Apr 26 03:16:17.251 [20342] dbg: check: tagrun - tag RELAYSINTERNAL is now ready, value: 
Apr 26 03:16:17.251 [20342] dbg: check: tagrun - tag RELAYSEXTERNAL is now ready, value: 
Apr 26 03:16:17.251 [20342] dbg: check: tagrun - tag LANGUAGES is now ready, value: <UNDEF>
Apr 26 03:16:17.252 [20342] dbg: message: no encoding detected
Apr 26 03:16:17.252 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x343d050) implements 'parsed_metadata', priority 0
Apr 26 03:16:17.252 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::AskDNS=HASH(0x3a6c060) implements 'parsed_metadata', priority 0
Apr 26 03:16:17.252 [20342] dbg: dns: is DNS available? 0
Apr 26 03:16:17.252 [20342] dbg: rules: local tests only, ignoring RBL eval
Apr 26 03:16:17.252 [20342] dbg: check: check_main, time limit in 299.994 s
Apr 26 03:16:17.253 [20342] dbg: dns: harvest_dnsbl_queries
Apr 26 03:16:17.253 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x343d050) implements 'check_cleanup', priority 0
Apr 26 03:16:17.253 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x3518510) implements 'check_post_learn', priority 0
Apr 26 03:16:17.253 [20342] dbg: dcc: DCC learning not enabled by dcc_learn_score
Apr 26 03:16:17.253 [20342] dbg: check: is spam? score=0 required=5
Apr 26 03:16:17.253 [20342] dbg: check: tests=
Apr 26 03:16:17.254 [20342] dbg: check: subtests=
Apr 26 03:16:17.254 [20342] dbg: timing: total 79 ms - init: 72 (90.9%), parse: 2.3 (3.0%), extract_message_metadata: 1.51 (1.9%), get_uri_detail_list: 0.83 (1.0%)
Apr 26 03:16:17.254 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x35d2f50) implements 'finish_tests', priority 0
Apr 26 03:16:17.254 [20342] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x35dacb8) implements 'finish_tests', priority 0
Apr 26 03:16:17.254 [20342] dbg: generic: lint check of site pre files succeeded, continuing with channel updates
Apr 26 03:16:17.254 [20342] dbg: channel: protocol family available: inet,inet6
Apr 26 03:16:17.254 [20342] dbg: channel: --refreshmirrors used, forcing mirrors file refresh on channel updates.spamassassin.org
Apr 26 03:16:17.254 [20342] dbg: channel: DNS lookup on mirrors.updates.spamassassin.org
DNS TXT query: mirrors.updates.spamassassin.org -> http://spamassassin.apache.org/updates/MIRRORED.BY
fetching http://spamassassin.apache.org/updates/MIRRORED.BY
Apr 26 03:16:17.278 [20342] dbg: http: url: http://spamassassin.apache.org/updates/MIRRORED.BY
Apr 26 03:16:17.278 [20342] dbg: http: downloading to: /opt/zimbra/data/spamassassin/state/3.004005/updates_spamassassin_org/MIRRORED.BY, replace
Apr 26 03:16:17.278 [20342] dbg: util: executable for curl was found at /opt/zimbra/common/bin/curl
Apr 26 03:16:17.278 [20342] dbg: http: /opt/zimbra/common/bin/curl -s -L -O --remote-time -g --max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o MIRRORED.BY -A sa-update/3.4.5 / svn1881784/3.4.5 -- http://spamassassin.apache.org/updates/MIRRORED.BY
Apr 26 03:16:17.509 [20342] dbg: http: process [20344], exit status: exit 23
http: (curl) GET http://spamassassin.apache.org/updates/MIRRORED.BY, FAILED, status: exit 23
Apr 26 03:16:17.509 [20342] dbg: channel: no mirror data available for channel updates.spamassassin.org from http://spamassassin.apache.org/updates/MIRRORED.BY
error: unable to refresh mirrors file for channel updates.spamassassin.org, using old file
error: no mirror data available for channel updates.spamassassin.org
channel 'updates.spamassassin.org': MIRRORED.BY file contents were missing, channel failed
Apr 26 03:16:17.510 [20342] dbg: generic: cleaning up temporary directory/files
Apr 26 03:16:17.510 [20342] dbg: generic: cleaning directory /tmp/.spamassassin203426c8elOtmp
Apr 26 03:16:17.510 [20342] dbg: diag: updates complete, exiting with code 4
Update failed, exiting with code 4

Zimbra Forums

SpamAssassin Security Vulnerability

SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability

Re: SpamAssassin Security Vulnerability