Debian 10261 Published by

A sa-exim security update has been released for Debian GNU/Linux 8 LTS.




Package : sa-exim
Version : 4.2.1-14+deb8u1
CVE ID : CVE-2019-19920
Debian Bug : 946829

It was found that sa-exim, the SpamAssassin filter for Exim, allows
attackers to execute arbitrary code if users are allowed to run custom
rules. A similar issue was fixed in spamassassin, CVE-2018-11805, which
caused a functional regression in sa-exim. This update restores the
compatibility between spamassassin and sa-exim. The security
implications of sa-exim's greylisting function are also documented in
/usr/share/doc/sa-exim/README.greylisting.gz.

For Debian 8 "Jessie", this problem has been fixed in version
4.2.1-14+deb8u1.

We recommend that you upgrade your sa-exim packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS