This update includes a fix for a problem where if the milter is running using the "-x" option to expand aliases before passing inbound mail through SpamAssassin, a malicious client using a carefully-crafted SMTP session could execute arbitrary code on the mail server. The fix avoids the use of a shell in the alias expansion and hence there is no longer a problem with having to sanitize input from the client.
This problem has been assigned CVE-2010-1132, which is tracked upstream at https://savannah.nongnu.org/bugs/?29136
The update also contains improved Received-header-generation for message submission and a fix for a problem where the milter would erroneously log warnings about the mail server's configuration when the first message from a non-authenticated client passed through. As part of the fix for this issue, the required milter macro configuration for the mail server has changed slightly: see the README file included in the package for details.
Please login to add feedback.