In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. (CVE-2019-12420 __)
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. (CVE-2018-11805 __)
Run yum update spamassassin to update your system.
i686: spamassassin-3.4.3-2.2.amzn1.i686 spamassassin-debuginfo-3.4.3-2.2.amzn1.i686 src: spamassassin-3.4.3-2.2.amzn1.src x86_64: spamassassin-3.4.3-2.2.amzn1.x86_64 spamassassin-debuginfo-3.4.3-2.2.amzn1.x86_64