[Mimedefang] [OT] SpamAssassin 3.1.3 released - security updates

Chris Myers chris at by-design.net
Tue Jun 6 14:35:29 EDT 2006

*ANNOUNCE: Apache SpamAssassin 3.1.3 available!

*Apache SpamAssassin 3.1.3 is now available!  This is a maintenance 
release of the 3.1.x branch.

Downloads are available from:

The release file will also be available via CPAN in the near future.

md5sum of archive files:
  5f049f0b9fc63585a85593a3c68409bb  Mail-SpamAssassin-3.1.3.tar.bz2
  32ad78f3cdaddb02cdf0f55572604d07  Mail-SpamAssassin-3.1.3.tar.gz
  6cb6fc27c4466091b2bc4e04af8c39bf  Mail-SpamAssassin-3.1.3.zip

sha1sum of archive files:
  e1f4489ec8805985e0ca79765bde586bf0286725  Mail-SpamAssassin-3.1.3.tar.bz2
  ed9e18fae6db86d0b77ce48d8262194e06df9ef8  Mail-SpamAssassin-3.1.3.tar.gz
  090dfd3eaa0481789fbf94f67bcf9c2dd6387959  Mail-SpamAssassin-3.1.3.zip

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key <release at ... 
     Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B

3.1.3 fixes a remote code execution vulnerability if spamd is run with the
"--vpopmail" and "-P" options.  If either/both of those options are not
used, there is no vulnerability.  There was also a fix for the userstate
directory and prefs file not being created.


- bug 4926: given a certain set of parameters to spamd and a specially
  formatted input message, users could cause spamd to execute arbitrary
  commands as the spamd user
- bug 4932: the userstate dir and userprefs file would not be created
  under certain conditions.

More information about the MIMEDefang mailing list