A spamassassin security update has been released for both Debian GNU/Linux 9 and 10

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4584-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 14, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : spamassassin
CVE ID : CVE-2018-11805 CVE-2019-12420
Debian Bug : 946652 946653

Two vulnerabilities were discovered in spamassassin, a Perl-based spam
filter using text analysis.

CVE-2018-11805

Malicious rule or configuration files, possibly downloaded from an
updates server, could execute arbitrary commands under multiple
scenarios.

CVE-2019-12420

Specially crafted mulitpart messages can cause spamassassin to use
excessive resources, resulting in a denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.4.2-1~deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 3.4.2-1+deb10u1.

We recommend that you upgrade your spamassassin packages.

For the detailed security status of spamassassin please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/spamassassin

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/