http://www.securityfocus.com/bid/10898/discussion/
This vulnerability does not exist; as far as I can see, someone has conflated GLSA 200408-06 (http://www.securityfocus.com/archive/1/371249/2004-08-06/2004-08-12/0), which *is* an issue, with an entirely-separate bug report (http://bugzilla.spamassassin.org/show_bug.cgi?id=3293). SpamAssassin is not vulnerable to the latter supposed attack. --j.
