---cut---
Well, I was going to wait until 2.50 release, but it seems to be taking and
this likely affects only few installations. Besides, it's been in their
public bugzilla for over a month. So:
Attacker may be able to execute arbitrary code by sending a specially
crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode
(-B option). Versions from 2.40 to 2.43 are affected.
Exim users especially should check if they're affected, the -B option is
used in several Exim+SpamAssassin HOWTOs.
The problem is with escaping '.' characters at the beginning of lines.
Off-by-one bounds checking error allows writing '.' character past a
buffer, overwriting the stack frame address. Depending on system this may
be exploitable. Pre-built Debian unstable/x86 package wasn't vulnerable, my
self compiled was.
---cut---
--
The #1 big change:
- SpamAssassin now *REQUIRES* procmail for local delivery support;
-P option is now the default. Unless you use procmail,
Mail::Audit, KMail, or an MTA-level integration, do not upgrade
From maintainer, Han Boetes <han@boetes.org>
SpamAssassin is a mail filter to identify spam.
Using its rule base, it uses a wide range of heuristic tests on
mail headers and body text to identify "spam", also known as
unsolicited commercial email.
