CVE number – CVE-2020-1946
Apache SpamAssassin 3.4.5 was recently released , and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
We recommend that you upgrade your spamassassin packages.