Source: spamassassin Version: 3.4.2-1+deb10u2 Severity: grave Tags: security patch upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
CVE-2020-1946 Quoting from https://www.openwall.com/lists/oss-security/2021/03/24/3 : In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. The fix was silently added to the 3.4 branch prior to 3.4.5~pre1 being packaged for Debian, so it is already present in unstable and bullseye. Buster remains exposed. noah