Before you write us: nope, this is unlikely to be related to the "spam spam spam" article I wrote earlier.
Spamassassin has 2 new releases out. They fix vulnerabilities that -given specific command line options- opens up spamassassin to remote command execution as the user spamassassin is running as.
Solution: upgrade to version 3.06 or 3.1.3 as soon as possible or do not use the vulnerable command line combination (aparently both "--vpopmail" and "-P" (paranoid) need to be turned on) as a workaround.
Thanks to fellow handlers Jim and Patrick.
If you do take the time to upgrade, I'd suggest to make sure you run it as a user that has hardly any rights and/or chroot it.
Swa Frantzen - Section 66
Jun 6th 2006
1 decade ago