--- dspam-3.6.4/debian/libdspam7-drv-mysql.cron.daily
+++ dspam-3.6.4/debian/libdspam7-drv-mysql.cron.daily
@@ -5,13 +5,23 @@
 DSPAMCONF=/etc/dspam/dspam.conf
 MYSQLCONF=/etc/dspam/dspam.d/mysql.conf
 PURGE=/usr/share/doc/libdspam7-drv-mysql/purge-4.1.sql
+MYSQLCONF_PASSWD=/var/run/libdspam7-drv-mysql.cron.passwd
 
 if grep -q "^StorageDriver.*mysql_drv.so" $DSPAMCONF; then
   if [ -x /usr/bin/mysql ]; then
     MYSQL_USER="`grep "^MySQLUser" $MYSQLCONF | awk '{print $2}'`"
     MYSQL_PASS="`grep "^MySQLPass" $MYSQLCONF | awk '{print $2}'`"
     MYSQL_DB="`grep "^MySQLDb" $MYSQLCONF | awk '{print $2}'`"
-    /usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+
+    UMASK_OLD="`umask`"
+    umask 077
+    [ -e "$MYSQLCONF_PASSWD" ] && rm "$MYSQLCONF_PASSWD"
+    echo -e "[client]\npassword=$MYSQL_PASS" > "$MYSQLCONF_PASSWD"
+    umask "$UMASK_OLD"
+
+    /usr/bin/mysql --defaults-file=$MYSQLCONF_PASSWD --user=$MYSQL_USER $MYSQL_DB < $PURGE
+
+    rm "$MYSQLCONF_PASSWD"
   fi
 fi
 
--- dspam-3.6.4/debian/changelog
+++ dspam-3.6.4/debian/changelog
@@ -1,3 +1,16 @@
+dspam (3.6.4-4ubuntu0.1) dapper-security; urgency=low
+
+  * SECURITY UPDATE: The libdspam7-drv-mysql cron job includes the MySQL
+    dspam database password in a command line argument, which might allow
+    local users to read the password by listing the process and its arguments.
+  * debian/libdspam7-drv-mysql.cron.daily: applied patch from Debian to use a
+    password file instead.
+  * References
+     - LP: #195691
+     - CVE-2007-6418
+
+ -- Daniel Hahler <ubuntu@thequod.de>  Tue, 25 Mar 2008 23:58:13 +0100
+
 dspam (3.6.4-4) unstable; urgency=low
 
   * Remove previous fix for #359944 this introduced two grave bugs.