Candidate: CVE-2010-1132
PublicDate: 2010-03-27 19:07:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1132
 http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073489.html
Description:
 The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter
 Plugin 0.3.1, when using the expand option, allows remote attackers to
 execute arbitrary system commands via shell metacharacters in the RCPT TO
 field of an email message.
Ubuntu-Description:
Notes:
 mdeslaur> On Debian/Ubuntu, default configuration doesn't use -x and
 mdeslaur> doesn't run as root
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_spamass-milter:
 vendor: http://www.debian.org/security/2010/dsa-2021
upstream_spamass-milter: released (0.3.1-9)
dapper_spamass-milter: ignored (reached end-of-life)
hardy_spamass-milter: ignored (reached end-of-life)
intrepid_spamass-milter: needed (reached end-of-life)
jaunty_spamass-milter: released (0.3.1-8+lenny1build0.9.04.1)
karmic_spamass-milter: released (0.3.1-8+lenny1build0.9.10.1)
lucid_spamass-milter: not-affected (0.3.1-9)
maverick_spamass-milter: not-affected (0.3.1-9)
natty_spamass-milter: not-affected (0.3.1-9)
oneiric_spamass-milter: not-affected (0.3.1-9)
devel_spamass-milter: not-affected (0.3.1-9)