From the quoted URL above: 2019-12-11: Apache SpamAssassin 3.4.3 has been released! Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there is also one new plugin and there are bug fixes for two CVEs: CVE-2019-12420 for Multipart Denial of Service Vulnerability CVE-2018-11805 for nefarious CF files can be configured to run system commands without any output or errors.
Created attachment 209908 [details] patch Update patch. CVE-2018-11805 is an RCE. Update should be expedited.
Niclas Zeising asked, by private email, that I commit this. It has been committed to my git tree and I will git svn dcommit when a vuxml entry has been written up.
A commit references this bug: Author: cy Date: Fri Dec 13 20:03:34 UTC 2019 New revision: 520065 URL: https://svnweb.freebsd.org/changeset/ports/520065 Log: Update 3.4.2 --> 3.4.3 2019-12-11: Apache SpamAssassin 3.4.3 has been released! Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there is also one new plugin and there are bug fixes for two CVEs: CVE-2019-12420 for Multipart Denial of Service Vulnerability CVE-2018-11805 for nefarious CF files can be configured to run system commands without any output or errors. PR: 242618 Submitted by: cy Reported by: cy Approved by: zeising (maintainer) MFH: 2019Q4 Security: CVE-2019-12420, CVE-2018-11805 Changes: head/mail/spamassassin/Makefile head/mail/spamassassin/distinfo head/mail/spamassassin/pkg-plist
This ticket was fixed, and most recently was superseded with an upgrade to 3.4.4. So it may be closed :-)
Superceeded by 3.4.4.