Debian Security Advisory

DLA-2062-1 sa-exim -- LTS security update

Date Reported:
09 Jan 2020
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 946829.
In Mitre's CVE dictionary: CVE-2019-19920.
More information:

It was found that sa-exim, the SpamAssassin filter for Exim, allows attackers to execute arbitrary code if users are allowed to run custom rules. A similar issue was fixed in spamassassin, CVE-2018-11805, which caused a functional regression in sa-exim. This update restores the compatibility between spamassassin and sa-exim. The security implications of sa-exim's greylisting function are also documented in /usr/share/doc/sa-exim/README.greylisting.gz.

For Debian 8 Jessie, this problem has been fixed in version 4.2.1-14+deb8u1.

We recommend that you upgrade your sa-exim packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: