Damian Lukowski

Name of the Vulnerable Software and Affected Versions: Apache SpamAssassin versions prior to 3.4.5 Description: The issue allows malicious rule configuration (.cf) files to be configured to run system commands without any output or errors, enabling exploits to be injected in various scenarios. Users should only use update channels or 3rd party .cf files from trusted places. Recommendations: For Apache SpamAssassin versions prior to 3.4.5, upgrade to version 3.4.5 to resolve the issue. As a temporary workaround, consider restricting the use of .cf files from untrusted sources until the upgrade is applied. Additionally, only use update channels or 3rd party .cf files from trusted places to minimize the risk of exploitation.