This is a heads-up on a remote command-execution vulnerability in Apache SpamAssassin, affecting versions 2.5x, 2.6x, 3.0.x, 3.1.x, and SVN trunk. It has been assigned CVE-2006-2447, or bug 4926 in the SA bugzilla. Details: - It only affects systems where spamd is used with vpopmail virtual users, via the "-v" / "--vpopmail" switch, AND with the "-P" / "--paranoid" switch. This is not default on any distro package, and is not a common configuration. You are only vulnerable if *both* of those switches are in use. Removing the "-P" / "--paranoid" switch is an effective workaround with no significant side-efects. - It is a remote exploit on the spamd port, allowing attackers to execute a command as the user spamd runs as if that is not root, or as the user specified by the "-u" / "--username" option if spamd is run as root - However, it provides a remote-root hole if spamd is run as root and there is no "-u" / "--username" switch specified. This, again, is less common, since this is defined as an unsupported configuration in the spamd documentation. - If the spamd "-A" / "--allowed-ips" switch is used to restrict the IP addresses allowed to access spamd, the exploit cannot be performed from outside those ranges. - If the spamd "-A" / "--allowed-ips" switch is NOT used, the exploit can only be performed from localhost [127.0.0.1]. Workaround: remove the "-P" / "--paranoid" switch. This avoids the bug entirely and has no significant noticeable side-effects. Fix: Fixed packages have been released as SpamAssassin 3.0.6 (for the 3.0.x maintainance line) and SpamAssassin 3.1.3. Further info: mail Announced: Jun 1 19:58 UTC Corrected: June 5, 15:00 UTC Affects: all versions before the correction date, after 2.50 Credit: discovery of this vulnerability credited to Radoslaw Zielinski .