[prev in list] [next in list] [prev in thread] [next in thread]
List: spamassassin-announce
Subject: ANNOUNCE: Apache SpamAssassin 3.4.3 available
From: "Kevin A. McGrail" <kmcgrail () apache ! org>
Date: 2019-12-12 11:04:26
Message-ID: 056145b2-b908-c811-9af1-ecea2571c5c3 () apache ! org
[Download RAW message or body]
On behalf of the Apache SpamAssassin Project, I am proud to share the release notes \
for Apache SpamAssassin v3.4.3. -KAM
Release Notes -- Apache SpamAssassin -- Version 3.4.3
Introduction
------------
Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
prepare to move to version 4.0.0 with better, native UTF-8 handling.
There are a number of functional patches, improvements as well as security
reasons to upgrade to 3.4.3. In this release, there are bug fixes for two
CVEs.
*** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
If you do not update to 3.4.2 or later, you will be stuck at the last
ruleset with SHA-1 signatures. ***
Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.
Happy Birthday
--------------
Apache SpamAssassin turned 18 on September 5th, 2019.
Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
world's most popular email anti-spam platform. Apache SpamAssassin can be
used on a wide variety of email systems including Postfix, procmail, qmail,
sendmail, and more.
It serves as the spam-filtering and detection solution for numerous ISPs and
hosting providers, and is integrated in commercial software including Plesk,
cPanel, Vesta Control Panel, and many others.
SpamAssassin was originally created by Justin Mason, who had maintained a
number of patches against an earlier program named filter.plx by Mark
Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
from scratch and uploaded the resulting codebase to SourceForge on April 20,
2001. SpamAssassin entered the Apache Incubator in December 2003 and
graduated as an Apache Top-Level Project in June 2004.
Notable features:
=================
New plugins
-----------
There is 1 new plugin added with this release:
# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents
# outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
This plugin is disabled by default. To enable, uncomment the loadplugin
configuration options in file v343.pre, or add it to some local .pre file
such as local.pre.
Notable changes
---------------
Safer and faster scanning of large emails using body_part_scan_size and
rawbody_part_scan_size settings.
New tflag "nosubject" for 'body' rules, to stop matching the Subject header
which is part of the body text.
Two CVE security bug fixes are included in this release:
CVE-2019-12420 for Multipart Denial of Service Vulnerability
CVE-2018-11805 for nefarious CF files can be configured to
run system commands without any output or errors.
Security updates include deprecation of the unsafe sa-update '--allowplugins'
option, which now prints a warning that '--reallyallowplugins' is required
to use it.
New configuration options
-------------------------
A new subjprefix keyword used to add a prefix to the subject of the
email if a rule is matched.
A new template tag _SUBJPREFIX_ that maps to the subject prefix that
has been added by the subjprefix keyword.
A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
hits with duplicated rules collapsed.
A config option rbl_headers has been added to DNSEval plugin,
this option is used to specify in which headers check_rbl_headers
should check for content used to query the specified rbl.
A new check_rbl_ns_from function has been added to check
the dns server of the from addrs domain name against a specific rbl.
A new check_rbl_rcvd function has been added to check
all received headers domains or ip addresses against a
specific rbl.
New options has been added to check_hashbl_emails function
has been added; it is now possible to specify in which headers
the function should check for content used to query the
specified rbl and an acl to filter the email addresses the rule
should apply.
A new check_hashbl_bodyre function has been added, it is now possible
to search body for matching regexp and query the string captured
against the specified rbl.
A new check_hashbl_uris function has been added, it is now possible
to match uris in email's body and query the uris against the
specified rbl.
Notable Internal changes
------------------------
None noted.
Other updates
-------------
None noted.
Optimizations
-------------
None noted.
Downloading and availability
----------------------------
Downloads are available from:
https://spamassassin.apache.org/downloads.cgi
sha256sum of archive files:
a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d \
Mail-SpamAssassin-3.4.3.tar.bz2 \
bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 \
Mail-SpamAssassin-3.4.3.tar.gz \
3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 \
Mail-SpamAssassin-3.4.3.zip \
d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 \
Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
sha512sum of archive files:
4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 \
Mail-SpamAssassin-3.4.3.tar.bz2 \
d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a \
Mail-SpamAssassin-3.4.3.tar.gz \
608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 \
Mail-SpamAssassin-3.4.3.zip \
2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f \
Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.
See the INSTALL and UPGRADE files in the distribution for important
installation notes.
GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them. The file serves
as an external GPG signature for the given release file. The signing
key is available via the wwwkeys.pgp.net key server, as well as
https://www.apache.org/dist/spamassassin/KEYS
The following key is used to sign releases after, and including SA 3.3.0:
pub 4096R/F7D39814 2009-12-02
Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
uid SpamAssassin Project Management Committee \
<private@spamassassin.apache.org> uid SpamAssassin Signing Key (Code \
Signing Key, replacement for 1024D/265FA05B) <dev@spamassassin.apache.org> sub \
4096R/7B3265A5 2009-12-02
The following key is used to sign rule updates:
pub 4096R/5244EC45 2005-12-20
Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
uid updates.spamassassin.org Signing Key <release@spamassassin.org>
sub 4096R/24F434CE 2005-12-20
To verify a release file, download the file with the accompanying .asc
file and run the following commands:
gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
gpg --fingerprint F7D39814
Then verify that the key matches the signature.
Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.
See https://www.apache.org/info/verification.html for more information
on verifying Apache releases.
About Apache SpamAssassin
-------------------------
Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.
Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.
Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.
The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.
For more information, visit https://spamassassin.apache.org/
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.
For more information, visit https://www.apache.org/
##
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<pre style="color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: \
normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: \
2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; \
text-decoration-color: initial; overflow-wrap: break-word; white-space: pre-wrap;">On \
behalf of the Apache SpamAssassin Project, I am proud to share the release notes for \
Apache SpamAssassin v3.4.3. -KAM
Release Notes -- Apache SpamAssassin -- Version 3.4.3
Introduction
------------
Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
prepare to move to version 4.0.0 with better, native UTF-8 handling.
There are a number of functional patches, improvements as well as security
reasons to upgrade to 3.4.3. In this release, there are bug fixes for two
CVEs.
*** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
If you do not update to 3.4.2 or later, you will be stuck at the last
ruleset with SHA-1 signatures. ***
Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.
Happy Birthday
--------------
Apache SpamAssassin turned 18 on September 5th, 2019.
Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
world's most popular email anti-spam platform. Apache SpamAssassin can be
used on a wide variety of email systems including Postfix, procmail, qmail,
sendmail, and more.
It serves as the spam-filtering and detection solution for numerous ISPs and
hosting providers, and is integrated in commercial software including Plesk,
cPanel, Vesta Control Panel, and many others.
SpamAssassin was originally created by Justin Mason, who had maintained a
number of patches against an earlier program named filter.plx by Mark
Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
from scratch and uploaded the resulting codebase to SourceForge on April 20,
2001. SpamAssassin entered the Apache Incubator in December 2003 and
graduated as an Apache Top-Level Project in June 2004.
Notable features:
=================
New plugins
-----------
There is 1 new plugin added with this release:
# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents
# outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
This plugin is disabled by default. To enable, uncomment the loadplugin
configuration options in file v343.pre, or add it to some local .pre file
such as local.pre.
Notable changes
---------------
Safer and faster scanning of large emails using body_part_scan_size and
rawbody_part_scan_size settings.
New tflag "nosubject" for 'body' rules, to stop matching the Subject header
which is part of the body text.
Two CVE security bug fixes are included in this release:
CVE-2019-12420 for Multipart Denial of Service Vulnerability
CVE-2018-11805 for nefarious CF files can be configured to
run system commands without any output or errors.
Security updates include deprecation of the unsafe sa-update '--allowplugins'
option, which now prints a warning that '--reallyallowplugins' is required
to use it.
New configuration options
-------------------------
A new subjprefix keyword used to add a prefix to the subject of the
email if a rule is matched.
A new template tag _SUBJPREFIX_ that maps to the subject prefix that
has been added by the subjprefix keyword.
A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
hits with duplicated rules collapsed.
A config option rbl_headers has been added to DNSEval plugin,
this option is used to specify in which headers check_rbl_headers
should check for content used to query the specified rbl.
A new check_rbl_ns_from function has been added to check
the dns server of the from addrs domain name against a specific rbl.
A new check_rbl_rcvd function has been added to check
all received headers domains or ip addresses against a
specific rbl.
New options has been added to check_hashbl_emails function
has been added; it is now possible to specify in which headers
the function should check for content used to query the
specified rbl and an acl to filter the email addresses the rule
should apply.
A new check_hashbl_bodyre function has been added, it is now possible
to search body for matching regexp and query the string captured
against the specified rbl.
A new check_hashbl_uris function has been added, it is now possible
to match uris in email's body and query the uris against the
specified rbl.
Notable Internal changes
------------------------
None noted.
Other updates
-------------
None noted.
Optimizations
-------------
None noted.
Downloading and availability
----------------------------
Downloads are available from:
<a class="moz-txt-link-freetext" \
href="https://spamassassin.apache.org/downloads.cgi">https://spamassassin.apache.org/downloads.cgi</a>
sha256sum of archive files:
a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d \
Mail-SpamAssassin-3.4.3.tar.bz2 \
bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 \
Mail-SpamAssassin-3.4.3.tar.gz \
3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 \
Mail-SpamAssassin-3.4.3.zip \
d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 \
Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
sha512sum of archive files:
4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 \
Mail-SpamAssassin-3.4.3.tar.bz2 \
d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a \
Mail-SpamAssassin-3.4.3.tar.gz \
608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 \
Mail-SpamAssassin-3.4.3.zip \
2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f \
Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.
See the INSTALL and UPGRADE files in the distribution for important
installation notes.
GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them. The file serves
as an external GPG signature for the given release file. The signing
key is available via the wwwkeys.pgp.net key server, as well as
<a class="moz-txt-link-freetext" \
href="https://www.apache.org/dist/spamassassin/KEYS">https://www.apache.org/dist/spamassassin/KEYS</a>
The following key is used to sign releases after, and including SA 3.3.0:
pub 4096R/F7D39814 2009-12-02
Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
uid SpamAssassin Project Management Committee <a \
class="moz-txt-link-rfc2396E" \
href="mailto:private@spamassassin.apache.org"><private@spamassassin.apache.org></a>
uid SpamAssassin Signing Key (Code Signing Key, replacement for \
1024D/265FA05B) <a class="moz-txt-link-rfc2396E" \
href="mailto:dev@spamassassin.apache.org"><dev@spamassassin.apache.org></a> sub \
4096R/7B3265A5 2009-12-02
The following key is used to sign rule updates:
pub 4096R/5244EC45 2005-12-20
Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
uid updates.spamassassin.org Signing Key <a \
class="moz-txt-link-rfc2396E" \
href="mailto:release@spamassassin.org"><release@spamassassin.org></a> sub \
4096R/24F434CE 2005-12-20
To verify a release file, download the file with the accompanying .asc
file and run the following commands:
gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
gpg --fingerprint F7D39814
Then verify that the key matches the signature.
Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.
See <a class="moz-txt-link-freetext" \
href="https://www.apache.org/info/verification.html">https://www.apache.org/info/verification.html</a> \
for more information on verifying Apache releases.
About Apache SpamAssassin
-------------------------
Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.
Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.
Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.
The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.
For more information, visit <a class="moz-txt-link-freetext" \
href="https://spamassassin.apache.org/">https://spamassassin.apache.org/</a>
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.
For more information, visit <a class="moz-txt-link-freetext" \
href="https://www.apache.org/">https://www.apache.org/</a>
##
</pre>
<pre class="moz-signature" cols="72">--
Kevin A. McGrail
<a class="moz-txt-link-abbreviated" \
href="mailto:KMcGrail@Apache.org">KMcGrail@Apache.org</a>
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
<a class="moz-txt-link-freetext" \
href="https://www.linkedin.com/in/kmcgrail">https://www.linkedin.com/in/kmcgrail</a> \
- 703.798.0171</pre> </body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic