You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Sidney Markowitz <si...@apache.org> on 2021/03/24 15:32:09 UTC
ANNOUNCE: Apache SpamAssassin 3.4.5 available
On behalf of the Apache SpamAssassin Project, I am pleased to announce version 3.4.5 is available.
Release Notes -- Apache SpamAssassin -- Version 3.4.5
Introduction
------------
Apache SpamAssassin 3.4.5 is primarily a security release.
In this release, there are bug fixes for one CVE.
*** On March 1, 2020, we stopped publishing rulesets with SHA-1 signatures.
If you do not update to 3.4.2 or later, you will be stuck at the last
ruleset with SHA-1 signatures. Such an upgrade should be to 3.4.5 to
obtain the contained security fixes ***
*** Ongoing development on the 3.4 branch has ceased. All future releases
and bug fixes will be on the 4.0 series, unless a new security issue
is found that necessitates a 3.4.6 release. ***
Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.
Notable features:
=================
None noted.
Notable changes
---------------
In addition to the CVE which shall be announced separately, this release
includes fixes for the following:
- Improvements to OLEVBMacro and AskDNS plugins
- Received and EnvelopeFrom headers matching improvements
- userpref SQL schema fixes
- rbl and hashbl evaluation improvements
- fix for non working TxRep tag names
- man page fixes
New configuration options
-------------------------
None noted.
Notable Internal changes
------------------------
None noted.
Other updates
-------------
None noted.
Optimizations
-------------
None noted.
Downloading and availability
----------------------------
Downloads are available from:
https://spamassassin.apache.org/downloads.cgi
sha256sum of archive files:
67edf87126af4869c2a42720fc3dbb34ce25285449ef1f3fc1ab712d2e0a5463 Mail-SpamAssassin-3.4.5.tar.bz2
a640842c5f3f468e3a21cbb9c555647306ec77807e57c5744ef0065e4a8675f6 Mail-SpamAssassin-3.4.5.tar.gz
b60da76a6ad9178db60c680fa2597f76cdbf1de1393f3e34ea3d76f1168aece6 Mail-SpamAssassin-3.4.5.zip
2690aa131b79788ba756030af8746dd4531ab2c0cb56c0fe469f58d9dd043aad Mail-SpamAssassin-rules-3.4.5.r1887800.tgz
sha512sum of archive files:
46096019ef3d2b6dadb7af0d076c22526786cccb669cd4bed131b64fa935863630ca9f3e78277bebba0ed75099be9fbce97a30a6478ed84093896a1ad3d8387a Mail-SpamAssassin-3.4.5.tar.bz2
76323d8a5be1f5451375adc8b7989f183e72d0fa52848a1356c3b7fb3da9a9328fe9f91bcc941228c2cb91180ed49583a9a8bebf1f00caf7ad898251af3b9ba3 Mail-SpamAssassin-3.4.5.tar.gz
f903203f6ce29c14d1589648cb382e805926c62df1e8e9ee47bba78eaf168c133361fff927e40e15fe5592b4989a30e222e469ff72d4a638c179a330102174d1 Mail-SpamAssassin-3.4.5.zip
d759ff2d6941a997e0b3f8db189d414c04eb07f63330f074a829bc0de26d8ea6c8c0e8e3d7efaabd0a1cede8ecc645059c7fd83333c1ce5409656e0ca23b06e1 Mail-SpamAssassin-rules-3.4.5.r1887800.tgz
Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.
See the INSTALL and UPGRADE files in the distribution for important
installation notes.
GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them. The file serves
as an external GPG signature for the given release file. The signing
key is available via the keys.gnupg.net or keys.openpgp.org key servers,
as well as https://www.apache.org/dist/spamassassin/KEYS
The following key is used to sign releases after, and including SA 3.3.0:
pub 4096R/F7D39814 2009-12-02
Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
uid SpamAssassin Project Management Committee <pr...@spamassassin.apache.org>
uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <de...@spamassassin.apache.org>
sub 4096R/7B3265A5 2009-12-02
The following key is used to sign rule updates:
pub 4096R/5244EC45 2005-12-20
Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
uid updates.spamassassin.org Signing Key <re...@spamassassin.org>
sub 4096R/24F434CE 2005-12-20
To verify a release file, download the file with the accompanying .asc
file and run the following commands:
gpg --verbose --keyserver keys.gnupg.net --recv-key FDE52F40F7D39814
gpg --verify Mail-SpamAssassin-3.4.5.tar.bz2.asc
gpg --fingerprint FDE52F40F7D39814
Then verify that the key matches the signature.
Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.
See https://www.apache.org/info/verification.html for more information
on verifying Apache releases.
About Apache SpamAssassin
-------------------------
Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.
Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.
Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.
The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.
For more information, visit https://spamassassin.apache.org/
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.
For more information, visit https://www.apache.org/
--
Sidney Markowitz
Chair, Apache SpamAssassin PMC
sidney@apache.org
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by Michael Peddemors <mi...@linuxmagic.com>.
On 2021-04-07 2:37 p.m., Sidney Markowitz wrote:
> Henrik K wrote on 7/04/21 1:31 am:
>>> I think we should release 3.4.6 because of this bug:
>>>
>>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7897
>>>
>>> Metas depending on uribl rules do not currently hit.. :-(
>>
>> Though it seems there aren't any metas in stock ruleset that are
>> affected.
>> I do have on my own rules. So dunno, what is the timeline for a 4.0
>> release..
>>
>
> Henrik, are you saying that this isn't enough reason to release 3.4.6
> after all because it doesn't effect any metas in stock ruleset? I'm ok
> with doing the release manager work for 3.4.6 if there is consensus that
> it is necessary. Also, to be clear, is bug 7897 more important to fix
> than the bug 7822 that would be re-introduced by reverting its patch?
>
> Sidney
I think others (didn't pull a report from our channels mind you) that
might have Meta's using that rule.. I would 'suggest' that they should
continue working, even if stock rulesets don't have any Meta's depending
on that.. reverting what broke that might be in order.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by Sidney Markowitz <si...@sidney.com>.
Bill Cole wrote on 8/04/21 10:09 am:
> I believe we should release a 3.4.6 in the near term (days not months)
> to fix 7897 even if we have to do it with 7822 unfixed. I'd rather both
> were fixed but I don't have the free cycles right now to get a good
> enough understanding of the entanglements to fix it myself.
Ok, I'll start the release process, with me as release manager. We are now
back to code freeze, RTC mode in the 3.4 branch. If anyone thinks that there
is a safe fix for bug 7822 to go along with this, speak up. Otherwise we'll
release 3.4.6 with the only changes being the patch to fix 7897 that reverts 7822.
As per our processes, I can proceed with preparing the release and we vote
when there is a build to vote on.
Could one of you who does have the deeper understanding of the issues write
the brief (one line?) descriptions of what is being fixed and what is being
regressed as it should appear in the release notes for 3.4.6?
Thanks,
Sidney
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 7 Apr 2021, at 17:37, Sidney Markowitz wrote:
> Henrik K wrote on 7/04/21 1:31 am:
>>> I think we should release 3.4.6 because of this bug:
>>>
>>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7897
>>>
>>> Metas depending on uribl rules do not currently hit.. :-(
>>
>> Though it seems there aren't any metas in stock ruleset that are
>> affected.
>> I do have on my own rules. So dunno, what is the timeline for a 4.0
>> release..
>>
>
> Henrik, are you saying that this isn't enough reason to release 3.4.6
> after all because it doesn't effect any metas in stock ruleset? I'm ok
> with doing the release manager work for 3.4.6 if there is consensus
> that it is necessary. Also, to be clear, is bug 7897 more important to
> fix than the bug 7822 that would be re-introduced by reverting its
> patch?
I think fixing 7897, which causes the failure of fairly common (albeit
not default) rules, is MUCH more important than 7822, which is a bug in
a disabled-by-default plugin that is relatively new. For years I've been
using and suggesting to others the use of DNSBL synergy rules adding
significant bonus points when a message hits 2 or more blocklists from a
collection that may each have occasional FPs.
I believe we should release a 3.4.6 in the near term (days not months)
to fix 7897 even if we have to do it with 7822 unfixed. I'd rather both
were fixed but I don't have the free cycles right now to get a good
enough understanding of the entanglements to fix it myself.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by Sidney Markowitz <si...@sidney.com>.
Henrik K wrote on 7/04/21 1:31 am:
>> I think we should release 3.4.6 because of this bug:
>>
>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7897
>>
>> Metas depending on uribl rules do not currently hit.. :-(
>
> Though it seems there aren't any metas in stock ruleset that are affected.
> I do have on my own rules. So dunno, what is the timeline for a 4.0
> release..
>
Henrik, are you saying that this isn't enough reason to release 3.4.6 after
all because it doesn't effect any metas in stock ruleset? I'm ok with doing
the release manager work for 3.4.6 if there is consensus that it is necessary.
Also, to be clear, is bug 7897 more important to fix than the bug 7822 that
would be re-introduced by reverting its patch?
Sidney
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by John Hardin <jh...@impsec.org>.
On Tue, 6 Apr 2021, Henrik K wrote:
> On Tue, Apr 06, 2021 at 04:20:01PM +0300, Henrik K wrote:
>> On Thu, Mar 25, 2021 at 04:32:09AM +1300, Sidney Markowitz wrote:
>>>
>>> *** Ongoing development on the 3.4 branch has ceased. All future releases
>>> and bug fixes will be on the 4.0 series, unless a new security issue
>>> is found that necessitates a 3.4.6 release. ***
>>
>> I think we should release 3.4.6 because of this bug:
>>
>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7897
>>
>> Metas depending on uribl rules do not currently hit.. :-(
>
> Though it seems there aren't any metas in stock ruleset that are affected.
> I do have on my own rules. So dunno, what is the timeline for a 4.0
> release..
"Not Soon Enough".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
7 days until Thomas Jefferson's 278th Birthday
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by Henrik K <he...@hege.li>.
On Tue, Apr 06, 2021 at 04:20:01PM +0300, Henrik K wrote:
> On Thu, Mar 25, 2021 at 04:32:09AM +1300, Sidney Markowitz wrote:
> >
> > *** Ongoing development on the 3.4 branch has ceased. All future releases
> > and bug fixes will be on the 4.0 series, unless a new security issue
> > is found that necessitates a 3.4.6 release. ***
>
> I think we should release 3.4.6 because of this bug:
>
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7897
>
> Metas depending on uribl rules do not currently hit.. :-(
Though it seems there aren't any metas in stock ruleset that are affected.
I do have on my own rules. So dunno, what is the timeline for a 4.0
release..
Re: ANNOUNCE: Apache SpamAssassin 3.4.5 available
Posted by Henrik K <he...@hege.li>.
On Thu, Mar 25, 2021 at 04:32:09AM +1300, Sidney Markowitz wrote:
>
> *** Ongoing development on the 3.4 branch has ceased. All future releases
> and bug fixes will be on the 4.0 series, unless a new security issue
> is found that necessitates a 3.4.6 release. ***
I think we should release 3.4.6 because of this bug:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7897
Metas depending on uribl rules do not currently hit.. :-(