This page exists to provide quick reference to all past security notices that affect SpamAssassin. At this time this page is a work-in-progress, but it is belived to be a complete.
Please note that while this reference does cover security notices for versions of SpamAssassin older than 3.0.0, it should be noted these are pre-ASF releases. They are included here for completeness. Also note this document does not attempt to cover versions older than 2.40.
spamd remote code execution if -v AND -P options used Versions affected: 2.50-3.0.5, 3.1.0-3.1.2 References: [http://spamassassin.apache.org/advisories/cve-2006-2447.txt]
"many to: headers" DoS vuln Versions affected: 3.0.4, possibly older versions. References:
[http://secunia.com/advisories/17386/]
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351]
malformed message with long headers DoS Versions affected: 3.0.1-3.0.3 References:
[http://secunia.com/advisories/15704/]
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266]
Unspecified malformed message DoS Versions affected: 2.50-2.63 References:
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796]
Arbitrary code execution if BSMTP used Versions affected: 2.40-2.43 References:
[http://www.securityfocus.com/bid/6679]
[http://secunia.com/advisories/7951/]