Security

This page exists to provide quick reference to all past security notices that affect SpamAssassin. At this time this page is a work-in-progress, but it is believed to be complete.

Please note that while this reference does cover security notices for versions of SpamAssassin prior to version 3.0.0, it should be noted these are pre-Apache releases. They are included here for completeness. Also note this document does not attempt to cover versions older than 2.40.

Please also note that these notices apply to the official releases of SpamAssassin. Some third party distribution packages, such as Debian, choose to backport fixes. If you are using a distribution package with a version that appears vulnerable, check with the security advisories for that distribution to see if the fix has been backported.

Local user symlink-attack DoS vulnerability with "spamd --allow-tell -x" and other options

Versions affected: 3.1.0-3.1.8, 3.2.0

Fixed in: 3.1.9, 3.2.1

References:
http://spamassassin.apache.org/advisories/cve-2007-2873.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2873

Overly long URLs DoS

Versions affected: 3.1.0-3.1.7

Fixed in: 3.1.8

References:
http://spamassassin.apache.org/advisories/cve-2007-0451.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0451

spamd remote code execution if -v AND -P options used

Versions affected: 2.50-3.0.5, 3.1.0-3.1.2

Fixed in: 3.0.6, 3.1.3

References:
http://spamassassin.apache.org/advisories/cve-2006-2447.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447