This page exists to provide quick reference to all past security notices that affect SpamAssassin. At this time this page is a work-in-progress, but it is believed to be complete.

Please note that while this reference does cover security notices for versions of SpamAssassin prior to version 3.0.0, it should be noted these are pre-Apache releases. They are included here for completeness. Also note this document does not attempt to cover versions older than 2.40.

Please also note that these notices apply to the official releases of SpamAssassin. Some third party distribution packages, such as Debian, choose to backport fixes. If you are using a distribution package with a version that appears vulnerable, check with the security advisories for that distribution to see if the fix has been backported.

Local user symlink-attack DoS vulnerability with "spamd --allow-tell -x" and other options

Versions affected: 3.1.0-3.1.8, 3.2.0

Fixed in: 3.1.9, 3.2.1


Overly long URLs DoS

Versions affected: 3.1.0-3.1.7

Fixed in: 3.1.8


spamd remote code execution if -v AND -P options used

Versions affected: 2.50-3.0.5, 3.1.0-3.1.2

Fixed in: 3.0.6, 3.1.3


"many To: headers" DoS vuln

Versions affected: 3.0.4, possibly older versions.

Fixed in: 3.0.5, 3.1.0


malformed message with long headers DoS

Versions affected: 3.0.1-3.0.3

Fixed in: 3.0.4


Unspecified malformed message DoS

Versions affected: 2.50-2.63 (pre-Apache releases)

Fixed in: 2.64


Arbitrary code execution if BSMTP used

Versions affected: 2.40-2.43 (pre-Apache releases)

Fixed in: 2.44


Security (last edited 2009-09-20 23:16:38 by localhost)