On Wed, Dec 18, 2019 at 07:10:48AM -0600, [email protected] wrote: > I considered that this bug may belong to the sa-exim package which is the > source of the Graylisting.pm file, however, it is the sa-compile package that > changed not sa-exim and sa-compile is the one with the broken installation.
The problem is likely related to the fixes for CVE-2018-11805, which involved malicious rulesets invoking arbitrary commands as the uid running spamassassin/spamd. In the case of sa-exim, the line triggering the taint failure is performing an "eval" operation of configuration data read directly from a .cf file, so changing spamasassin's behavior is probably not ideal. I've tested a backport of sa-exim 4.2.1-16 from stretch to jessie, and have observed that the problem does not occur in this scenario. So an update of sa-exim in jessie might be the least disruptive path to a fix here. In the mean time, you might consider locally building it. noah
