Errata overview
Errata ID 404
Date 2019-12-18
Source package spamassassin
Fixed in version 3.4.2-1~deb9u2
This update addresses the following issues:
* Nefarious CF files can be configured to run system commands without any
  output or errors. With this, exploits can be injected in a number of
  scenarios. In addition to upgrading we recommend that users should only use
  update channels or 3rd party .cf files from trusted places.
* A message can be crafted in a way to use excessive resources.
Additional notes
CVE ID CVE-2018-11805
UCS Bug number #50650