Apache SpamAssassin malicious rule configuration [CVE-2020-1946]
CVE number – CVE-2020-1946
Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
We recommend that you upgrade your spamassassin packages.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.