SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | spamassassin | <Â 3.1.3-1 | spamassassin_3.1.3-1_all.deb |
Debian | 11 | all | spamassassin | <Â 3.1.3-1 | spamassassin_3.1.3-1_all.deb |
Debian | 10 | all | spamassassin | <Â 3.1.3-1 | spamassassin_3.1.3-1_all.deb |
Debian | 999 | all | spamassassin | <Â 3.1.3-1 | spamassassin_3.1.3-1_all.deb |
Debian | 13 | all | spamassassin | <Â 3.1.3-1 | spamassassin_3.1.3-1_all.deb |