This page exists to provide quick reference to all past security notices that affect SpamAssassin. At this time this page is a work-in-progress, but it is believed to be complete.
Please note that while this reference does cover security notices for versions of SpamAssassin prior to version 3.0.0, it should be noted these are pre-Apache releases. They are included here for completeness. Also note this document does not attempt to cover versions older than 2.40.
spamd remote code execution if -v AND -P options used
Versions affected: 2.50-3.0.5, 3.1.0-3.1.2
Fixed in: 3.0.6, 3.1.3
References:
[http://spamassassin.apache.org/advisories/cve-2006-2447.txt]
"many To: headers" DoS vuln
Versions affected: 3.0.4, possibly older versions.
Fixed in: 3.0.5, 3.1.0
References:
[http://secunia.com/advisories/17386/]
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351]
malformed message with long headers DoS
Versions affected: 3.0.1-3.0.3
Fixed in: 3.0.4
References:
[http://secunia.com/advisories/15704/]
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266]
Unspecified malformed message DoS
Versions affected: 2.50-2.63 (pre-Apache releases)
Fixed in: 2.64
References:
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796]
Arbitrary code execution if BSMTP used
Versions affected: 2.40-2.43 (pre-Apache releases)
Fixed in: 2.44
References:
[http://www.securityfocus.com/bid/6679]
[http://secunia.com/advisories/7951/]