Apache SpamAssassin is vulnerable to command injection. malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios.
lists.debian.org/debian-lts-announce/2021/04/msg00000.html
lists.fedoraproject.org/archives/list/[email protected]/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/
lists.fedoraproject.org/archives/list/[email protected]/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/
lists.fedoraproject.org/archives/list/[email protected]/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/
s.apache.org/3r1wh
security-tracker.debian.org/tracker/CVE-2020-1946
security.gentoo.org/glsa/202105-26
www.debian.org/security/2021/dsa-4879