This page exists to provide quick reference to all past security notices that affect SpamAssassin. At this time this page is a work-in-progress, but it is believed to be complete.
Please note that while this reference does cover security notices for versions of SpamAssassin prior to version 3.0.0, it should be noted these are pre-Apache releases. They are included here for completeness. Also note this document does not attempt to cover versions older than 2.40.
Please also note that these notices apply to the official releases of SpamAssassin. Some third party distribution packages, such as Debian, choose to backport fixes. If you are using a distribution package with a version that appears vulnerable, check with the security advisories for that distribution to see if the fix has been backported.
Local user symlink-attack DoS vulnerability with "spamd --allow-tell -x" and other options
Versions affected: 3.1.0-3.1.8, 3.2.0
Fixed in: 3.1.9, 3.2.1
Overly long URLs DoS
Versions affected: 3.1.0-3.1.7
Fixed in: 3.1.8
spamd remote code execution if -v AND -P options used
Versions affected: 2.50-3.0.5, 3.1.0-3.1.2
Fixed in: 3.0.6, 3.1.3
"many To: headers" DoS vuln
Versions affected: 3.0.4, possibly older versions.
Fixed in: 3.0.5, 3.1.0
malformed message with long headers DoS
Versions affected: 3.0.1-3.0.3
Fixed in: 3.0.4
Unspecified malformed message DoS
Versions affected: 2.50-2.63 (pre-Apache releases)
Fixed in: 2.64
Arbitrary code execution if BSMTP used
Versions affected: 2.40-2.43 (pre-Apache releases)
Fixed in: 2.44