Package: spamassassin Version: 3.4.2-1 Severity: grave Tags: upstream fixed-upstream pending security
Per upstream's 3.4.3 release announcement: Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue of security note where a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. Thanks to Joran Dirk Greef, Ronomon, Cape Town for reporting the issue. This issue has been assigned CVE id CVE-2019-12420 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420