FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands

Affected packages
spamassassin < 3.4.5

Details

VuXML ID ec04f3d0-8cd9-11eb-bb9f-206a8a720317
Discovery 2021-03-24
Entry 2021-03-24

The Apache SpamAssassin project reports:

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

References

CVE Name CVE-2020-1946
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946
URL https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E
URL https://spamassassin.apache.org/news.html