I'm using 0.3.2 which seems to be the latest version available for Debian.
It does appear that 0.4.0 hasn't hit Debian yet.
On Wed, Jun 10, 2015 at 10:34 PM, David B Funk <dbf...@engineering.uiowa.edu
> wrote:
> On Wed, 10 Jun 2015, Michael Grant wrote:
>
> I'm running Debian, sendmail, spamass-milter, spamc and spamd.
>>
>> I saw this in my log:
>> Jun 9 20:30:29 debian sm-mta[15942]: t5A0ULAA015942: to=<--
>> u...@example.com>
>> then I saw this:
>>
>> Jun 9 20:30:29 strange spamc[15947]: invalid usage
>> Jun 9 20:30:29 strange spamass-milter[1770]: Thrown error: poll says my
>> write pipe is busted
>> That seems pretty scary that someone can send to a user which begins with
>> -- and fake out spamc that it's a command
>> line option.
>>
>
> What version of spamass-milter are you using?
> Older versions of spamass-milter used a "system" call to invoke "spamc"
> and feed it messages, thus had a glaring security vulnerability.
>
> That was fixed a while ago, you need to update your spamass-milter.
>
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
