Spamassassin 3.4.2 has been announced, fixing several security issues:
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing one committer.
shlomif has pushed the 3.4.2 version to cauldron so that should be good for this branch.
I pushed the same version in 6 core/updates_testing
Updated spamassassin package fixes security vulnerabilities:
A reliance on "." in @INC in one configuration script (CVE-2016-1238).
A denial of service vulnerability arises with certain unclosed tags in emails
that cause markup to be handled incorrectly leading to scan timeouts
A potential Remote Code Execution bug with the PDFInfo plugin (CVE-2018-11780).
A local user code injection in the meta rule syntax (CVE-2018-11781).
Updated packages in core/updates_testing:
RedHat has issued an advisory for two of these issues on October 11:
Fedora has issued an advisory for this on September 23: