diff -Nru spamassassin-3.4.2/debian/changelog spamassassin-3.4.2/debian/changelog
--- spamassassin-3.4.2/debian/changelog	2020-02-04 13:15:18.000000000 +0000
+++ spamassassin-3.4.2/debian/changelog	2021-03-29 16:57:38.000000000 +0000
@@ -1,3 +1,19 @@
+spamassassin (3.4.2-0ubuntu0.16.04.5) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: OS Command Injection in cf file parsing
+    - debian/patches/CVE-2020-1946.patch: fix header rule parsing in
+      lib/Mail/SpamAssassin/Conf/Parser.pm.
+    - CVE-2020-1946
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 29 Mar 2021 12:57:38 -0400
+
+spamassassin (3.4.2-0ubuntu0.16.04.4) xenial; urgency=medium
+
+  * d/p/lp-1862154-*: avoid 'domain is utf8 flagged' flooding the logs
+    (LP: #1862154)
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 10 Feb 2020 16:17:02 +0100
+
 spamassassin (3.4.2-0ubuntu0.16.04.3) xenial-security; urgency=medium
 
   * SECURITY UPDATE: code execution via nefarious CF files
diff -Nru spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch
--- spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch	1970-01-01 00:00:00.000000000 +0000
+++ spamassassin-3.4.2/debian/patches/CVE-2020-1946.patch	2021-03-29 16:57:33.000000000 +0000
@@ -0,0 +1,29 @@
+Description: Fix header rule parsing
+Origin: upstream, https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Conf/Parser.pm?r1=1864416&r2=1876381&pathrev=1876381
+Applied-Upstream: 3.4.5
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/Mail/SpamAssassin/Conf/Parser.pm
++++ b/lib/Mail/SpamAssassin/Conf/Parser.pm
+@@ -1238,9 +1238,9 @@ sub add_test {
+     # no re "strict";  # since perl 5.21.8: Ranges of ASCII printables...
+     if ($text =~ /^exists:(.*)/) {
+       my $hdr = $1;
+-      # never evaled, so can be quite generous with the name
+       # check :addr etc header options
+-      if ($hdr !~ /^[^:\s]+:?$/) {
++      # $hdr used in eval text, validate carefully
++      if ($hdr !~ /^[\w.-]+:?$/) {
+         $self->lint_warn("config: invalid head test $name header: $hdr");
+         return;
+       }
+@@ -1248,7 +1248,8 @@ sub add_test {
+       $conf->{test_opt_header}->{$name} = $hdr;
+       $conf->{test_opt_exists}->{$name} = 1;
+     } else {
+-      if ($text !~ /^([^:\s]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) {
++      # $hdr used in eval text, validate carefully
++      if ($text !~ /^([\w.-]+(?:\:|(?:\:[a-z]+){1,2})?)\s*([=!]~)\s*(.+)$/) {
+         $self->lint_warn("config: invalid head test $name: $text");
+         return;
+       }
diff -Nru spamassassin-3.4.2/debian/patches/lp-1862154-Change-an-info-message-into-a-debug-message-not-usef.patch spamassassin-3.4.2/debian/patches/lp-1862154-Change-an-info-message-into-a-debug-message-not-usef.patch
--- spamassassin-3.4.2/debian/patches/lp-1862154-Change-an-info-message-into-a-debug-message-not-usef.patch	1970-01-01 00:00:00.000000000 +0000
+++ spamassassin-3.4.2/debian/patches/lp-1862154-Change-an-info-message-into-a-debug-message-not-usef.patch	2020-02-10 15:17:02.000000000 +0000
@@ -0,0 +1,32 @@
+From bdacc776ccbfdedee7f1e8175a333d9e419d4426 Mon Sep 17 00:00:00 2001
+From: Giovanni Bechis <gbechis@apache.org>
+Date: Fri, 12 Oct 2018 06:38:56 +0000
+Subject: [PATCH] Change an info message into a debug message, not useful for
+ the average user bz #7632
+
+git-svn-id: https://svn.apache.org/repos/asf/spamassassin/trunk@1843623 13f79535-47bb-0310-9956-ffa450edef68
+
+Origin: upstream, https://github.com/apache/spamassassin/commit/bdacc776ccbfdedee7f1e8175a333d9e419d4426
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1862154
+Last-Update: 2020-02-10
+
+---
+ lib/Mail/SpamAssassin/DnsResolver.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Mail/SpamAssassin/DnsResolver.pm b/lib/Mail/SpamAssassin/DnsResolver.pm
+index 2716d4206..c1c7613c9 100644
+--- a/lib/Mail/SpamAssassin/DnsResolver.pm
++++ b/lib/Mail/SpamAssassin/DnsResolver.pm
+@@ -547,7 +547,7 @@ sub new_dns_packet {
+   eval {
+ 
+     if (utf8::is_utf8($domain)) {  # since Perl 5.8.1
+-      info("dns: new_dns_packet: domain is utf8 flagged: %s", $domain);
++      dbg("dns: new_dns_packet: domain is utf8 flagged: %s", $domain);
+     }
+ 
+     $domain =~ s/\.*\z/./s;
+-- 
+2.25.0
+
diff -Nru spamassassin-3.4.2/debian/patches/series spamassassin-3.4.2/debian/patches/series
--- spamassassin-3.4.2/debian/patches/series	2020-02-04 13:15:10.000000000 +0000
+++ spamassassin-3.4.2/debian/patches/series	2021-03-29 16:57:33.000000000 +0000
@@ -8,3 +8,5 @@
 CVE-2019-12420
 CVE-2020-1930
 CVE-2020-1931
+lp-1862154-Change-an-info-message-into-a-debug-message-not-usef.patch
+CVE-2020-1946.patch