Quoting Adam Borowski (kilobyte@???):

> Note: there indeed was one security vulnerability, but it was discovered in
> 2014, while all the "it's dead" brouchacha happened years before.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618

It's a heap-based buffer overflow in /usr/bin/formail (specifically in
formisc.c). The threat model is a bit far-fetched, IMO. (Normally,
LDA handling only rarely involves formail, which is a filter for munging
messages.)

Distros immediately patched it. AFAIK, basically instead of a
single upstream, there is timely maintenace by various distributions.
Which makes the 'Oh noes! procmail isn't safe!' noises a bit
exaggerated.

https://serverfault.com/questions/876336/is-it-safe-to-use-procmail-in-2017