I assign the severity to major (C1) since the user usually can't check the emails received before they are filtered by spamassassin, so it behaves like a vulnerability against a server : the attacker only has to wait a few minutes or hour before the malicious email. So *1. And C because this vuln only occurs if the user modifies the init script or lauches spamd with particular options. '3.1.3 fixes a remote code execution vulnerability if spamd is run with the "--vpopmail" and "-P" options. If either/both of those options are not used, there is no vulnerability. There was also a fix for the userstate directory and prefs file not being created.'
Please bump 3.1.3 which was released yesterday
perl-herd done
ppc stable
Stable on hppa
stable on ppc64
No mo' spam fo' amd64 and x86... (I swear, I'm about to strangle bugzilla today)
sparc stable.
alpha stable.
Thanks arches, this one is ready for GLSA
Since spamd is run as root, is there a hazard that the code would be executed as root ??
*** Bug 135236 has been marked as a duplicate of this bug. ***
Unless you specify the -u option in /etc/conf.d/spamd it will run as root.
GLSA 200606-09. ia64 please don't forget to mark stable to benifit from the GLSA.
Don't forget about mips.