GLSA-200606-09 : SpamAssassin: Execution of arbitrary code
Medium Nessus Plugin ID 21702
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200606-09 (SpamAssassin: Execution of arbitrary code)
When spamd is run with both the '--vpopmail' (-v) and '--paranoid' (-P) options, it is vulnerable to an unspecified issue.
With certain configuration options, a local or even remote attacker could execute arbitrary code with the rights of the user running spamd, which is root by default, by sending a crafted message to the spamd daemon. Furthermore, the attack can be remotely performed if the '--allowed-ips' (-A) option is present and specifies non-local adresses. Note that Gentoo Linux is not vulnerable in the default configuration.
Don't use both the '--paranoid' (-P) and the '--vpopmail' (-v) options.
SolutionAll SpamAssassin users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-filter/spamassassin-3.1.3'