You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by km...@apache.org on 2018/09/08 20:41:08 UTC
svn commit: r1840378 - in /spamassassin/trunk: UPGRADE sa-update.raw
Author: kmcgrail
Date: Sat Sep 8 20:41:08 2018
New Revision: 1840378
URL: http://svn.apache.org/viewvc?rev=1840378&view=rev
Log:
Removing sha-1 sig support from sa-update - bug 7614
Modified:
spamassassin/trunk/UPGRADE
spamassassin/trunk/sa-update.raw
Modified: spamassassin/trunk/UPGRADE
URL: http://svn.apache.org/viewvc/spamassassin/trunk/UPGRADE?rev=1840378&r1=1840377&r2=1840378&view=diff
==============================================================================
--- spamassassin/trunk/UPGRADE (original)
+++ spamassassin/trunk/UPGRADE Sat Sep 8 20:41:08 2018
@@ -1,3 +1,104 @@
+Note for Users Upgrading to SpamAssassin 3.4.2
+----------------------------------------------
+
+- We now support SHA-512 and SHA-256 signatures for our rules updates.
+
+- We may stop producing SHA-1 signatures in the near future so upgrading
+to 3.4.2 is important. sa-update no longer uses these signatures.
+
+See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614
+
+New plugins
+-----------
+
+There are four new plugins added with this release:
+
+ Mail::SpamAssassin::Plugin::HashBL
+
+The HashBL plugin is the interface to The Email Blocklist (EBL).
+The EBL is intended to filter spam that is sent from IP addresses
+and domains that cannot be blocked without causing significant
+numbers of false positives.
+
+ Mail::SpamAssassin::Plugin::ResourceLimits
+
+This plugin leverages BSD::Resource to assure your spamd child processes
+do not exceed specified CPU or memory limit. If this happens, the child
+process will die. See the BSD::Resource for more details.
+
+ Mail::SpamAssassin::Plugin::FromNameSpoof
+
+This plugin allows for detection of the From:name field being used to mislead
+recipients into thinking an email is from another address. The man page
+includes examples and we expect to put test rules for this plugin into
+rulesrc soon!
+
+ Mail::SpamAssassin::Plugin::Phishing
+
+This plugin finds uris used in phishing campaigns detected by
+OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com) feeds.
+
+These plugins are disabled by default. To enable, uncomment
+the loadplugin configuration options in file v342.pre, or add it to
+some local .pre file such as local.pre .
+
+Notable changes
+---------------
+
+For security reasons SSLv3 support has been removed from spamc(1).
+
+GeoIP2 support has been added to RelayCountry and URILocalBL plugins due
+to GeoIP legacy api deprecations.
+
+New configuration options
+-------------------------
+
+A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the 's' tag)
+from valid signatures has been added.
+
+A 'uri_block_cont' option to URILocalBL plugin to score uris per continent has been added.
+Possible continent codes are:
+af, as, eu, na, oc, sa for Africa, Asia, Europe, North America,
+Oceania and South America.
+
+The 'country_db_type' and 'country_db_path' options has been added to be able
+to choose in RelayCountry plugin between GeoIP legacy
+(discontinued from 04/01/2018), GeoIP2, IP::Country::Fast
+and IP::Country::DB_File.
+GeoIP legacy is still the default option but it will be deprecated
+in future releases.
+
+A config option 'uri_country_db_path' has been added to be able to choose
+in URILocalBL plugin between GeoIP legacy and new GeoIP2 api.
+
+A config option 'resource_limit_cpu' (default: 0 or no limit) has been added
+to configure how many cpu cycles are allowed on a child process before it dies.
+
+A config option 'resource_limit_mem' (default: 0 or no limit) has been added
+to configure the maximum number of bytes of memory allowed both for
+(virtual) address space bytes and resident set size.
+
+A new config option 'report_wrap_width' (default: 70) has been added
+to set the wrap width for description lines in the X-Spam-Report header.
+
+Notable Internal changes
+------------------------
+
+SpamAssassin can cope with new Net::DNS module versions.
+
+The "bytes" pragma has been remove from both core modules and plugins for
+better utf-8 compatibility, there has been also some other utf-8 related fixes.
+
+The spamc(1) client can now be build against OpenSSL 1.1.0.
+
+The test framework has been switched to Test::More module.
+
+Other updates
+-------------
+
+A list of top-level domains in registrar boundaries was updated.
+
+
Note for Users Upgrading to SpamAssassin 3.4.1
----------------------------------------------
Modified: spamassassin/trunk/sa-update.raw
URL: http://svn.apache.org/viewvc/spamassassin/trunk/sa-update.raw?rev=1840378&r1=1840377&r2=1840378&view=diff
==============================================================================
--- spamassassin/trunk/sa-update.raw (original)
+++ spamassassin/trunk/sa-update.raw Sat Sep 8 20:41:08 2018
@@ -96,8 +96,8 @@ our ($have_lwp, $io_socket_module_name,
BEGIN {
# Deal with optional modules
- eval { require Digest::SHA; import Digest::SHA qw(sha1_hex sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 }
- or do { require Digest::SHA1; import Digest::SHA1 qw(sha1_hex) };
+ eval { require Digest::SHA; import Digest::SHA qw(sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 }
+ or die "Unable to verify file hashes! You must install a modern version of Digest::SHA.";
$have_lwp = eval {
require LWP::UserAgent;
@@ -598,15 +598,13 @@ foreach my $channel (@channels) {
my $content;
my $SHA512;
my $SHA256;
- my $SHA1;
my $GPG;
if ($instfile) {
- dbg("channel: using --install files $instfile\{,.sha1,.sha256,.sha512,.asc\}");
+ dbg("channel: using --install files $instfile\{,.sha256,.sha512,.asc\}");
$content = read_install_file($instfile);
if ( -s "$instfile.sha512" ) { $SHA512 = read_install_file($instfile.".sha512"); }
if ( -s "$instfile.sha256" ) { $SHA256 = read_install_file($instfile.".sha256"); }
- if ( -s "$instfile.sha1" ) { $SHA1 = read_install_file($instfile.".sha1"); }
$GPG = read_install_file($instfile.".asc") if $GPG_ENABLED;
} else { # not an install file, obtain fresh rules from network
@@ -740,7 +738,7 @@ foreach my $channel (@channels) {
# Loop through all available mirrors, choose from them randomly
# if the archive get fails, choose another mirror,
- # if the get for the sha1 or gpg signature files, the channel fails
+ # if the get for the hash or gpg signature files fails, the channel fails
while (my $mirror = choose_mirror(\%mirrors)) {
my $result_fname;
# Grab the data hash for this mirror, then remove it from the list
@@ -787,18 +785,6 @@ foreach my $channel (@channels) {
dbg("channel: No sha256 file available from $mirror");
}
-
- # SHA1 of the archive file
- $result_fname = http_get("$mirror/$newV.tar.gz.sha1", $UPDDir);
- if ( -s $result_fname) {
- $SHA1 = read_content($result_fname, 0);
- last unless $SHA1;
- $preserve_files{$result_fname} = 1;
- } else {
- undef $SHA1;
- dbg("channel: No sha1 file available from $mirror");
- }
-
# if GPG is enabled, the GPG detached signature of the archive file
if ($GPG_ENABLED) {
$result_fname = http_get("$mirror/$newV.tar.gz.asc", $UPDDir);
@@ -806,32 +792,15 @@ foreach my $channel (@channels) {
last unless $GPG;
$preserve_files{$result_fname} = 1;
}
-
last;
}
}
- unless ($content && ( $SHA512 || $SHA256 || $SHA1 ) && (!$GPG_ENABLED || $GPG)) {
+ unless ($content && ( $SHA512 || $SHA256 ) && (!$GPG_ENABLED || $GPG)) {
channel_failed("channel: could not find working mirror");
next;
}
- if ( $SHA1 ) {
- # Validate the SHA1 signature before going forward with more complicated
- # operations.
- # The SHA1 file may be "signature filename" ala sha1sum, just use the signature
- { local($1);
- $SHA1 =~ /^([a-fA-F0-9]{40})/;
- $SHA1 = $1 || 'INVALID';
- }
- my $digest = sha1_hex($content);
- dbg("sha1: verification wanted: $SHA1");
- dbg("sha1: verification result: $digest");
- unless ($digest eq $SHA1) {
- channel_failed("channel: SHA1 verification failed");
- next;
- }
- }
if ( $SHA512 ) {
# Validate the SHA512 signature
@@ -1151,7 +1120,7 @@ ENDOFVALIDATIONERR
return 0;
}
- # if all went fine, remove the .tar.gz, .sha1 and .asc files
+ # if all went fine, remove the .tar.gz, .sha* and .asc files
delete_files( grep(!m{/\QMIRRORED.BY\E\z}, keys %preserve_files) );
$channel_successes++;
@@ -1897,7 +1866,8 @@ Options:
--channelfile file Retrieve updates from the channels in the file
--checkonly Check for update availability, do not install
--install filename Install updates directly from this file. Signature
- verification will use "file.asc" and "file.sha1"
+ verification will use "file.asc", "file.sha256",
+ and "file.sha512".
--allowplugins Allow updates to load plugin code
--gpgkey key Trust the key id to sign releases
Use multiple times for multiple keys
@@ -1927,7 +1897,8 @@ configuration, based on channels. The d
I<updates.spamassassin.org>, which has updated rules since the previous
release.
-Update archives are verified using SHA1 hashes and GPG signatures, by default.
+Update archives are verified using SHA256 and SHA512 hashes and GPG signatures,
+by default.
Note that C<sa-update> will not restart C<spamd> or otherwise cause
a scanner to reload the now-updated ruleset automatically. Instead,
@@ -1975,10 +1946,10 @@ The exit code will be C<0> or C<1> as de
Install updates "offline", from the named tar.gz file, instead of performing
DNS lookups and HTTP invocations.
-Files named B<file>.sha1 and B<file>.asc will be used for the SHA-1 and GPG
-signature, respectively. The filename provided must contain a version number
-of at least 3 digits, which will be used as the channel's update version
-number.
+Files named B<file>.sha256, B<file>.sha512, and B<file>.asc will be used for
+the SHA256 and SHA512 hashes and the GPG signature, respectively. The filename
+provided must contain a version number of at least 3 digits, which will be used
+as the channel's update version number.
Multiple B<--channel> switches cannot be used with B<--install>. To install
multiple channels from tarballs, run C<sa-update> multiple times with different
@@ -1995,11 +1966,11 @@ in the downloaded update rules files.
=item B<--gpg>, B<--nogpg>
-sa-update by default will verify update archives by use of a SHA1 checksum
-and GPG signature. SHA1 hashes can verify whether or not the downloaded
-archive has been corrupted, but it does not offer any form of security
-regarding whether or not the downloaded archive is legitimate (aka:
-non-modifed by evildoers). GPG verification of the archive is used to
+sa-update by default will verify update archives by use of SHA256 and SHA512
+checksums and GPG signature. SHA* hashes can verify whether or not the
+downloaded archive has been corrupted, but it does not offer any form of
+security regarding whether or not the downloaded archive is legitimate
+(aka: non-modifed by evildoers). GPG verification of the archive is used to
solve that problem.
If you wish to skip GPG verification, you can use the B<--nogpg> option