Just heading this one off before it gets too much further…
This H-Online story covered it:
Security vulnerability in SpamAssassin filter module
The SpamAssassin Milter plug-in which plugs in to Milter and calls SpamAssassin, contains a security vulnerability which can be exploited by attackers using a crafted email to inject and execute code on a mail server. The SpamAssassin Milter plug-in is frequently used to run SpamAssassin on Postfix servers.
(I think this is the source article on Heise.de.)
That was more-or-less accurate — but the problem is the “chinese whispers” effect, where a news story on another site builds on misreadings of another news article. eSecurityPlanet:
Security Flaw Found in SpamAssassin Plug-in
The SpamAssassin Milter plug-in has been found to contain a security vulnerability. […]
To clarify: spamass-milter is not a part of SpamAssassin. it’s a third-party product which allows sendmail/postfix users to integrate spamassassin into their message flows as a milter.