spamassassin-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <kmcgr...@apache.org>
Subject ANNOUNCE: Apache SpamAssassin 3.4.3 available
Date Thu, 12 Dec 2019 11:04:26 GMT
On behalf of the Apache SpamAssassin Project, I am proud to share the release notes for Apache
SpamAssassin v3.4.3. -KAM

Release Notes -- Apache SpamAssassin -- Version 3.4.3

Introduction
------------

Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
prepare to move to version 4.0.0 with better, native UTF-8 handling.

There are a number of functional patches, improvements as well as security
reasons to upgrade to 3.4.3.  In this release, there are bug fixes for two
CVEs.

*** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
    If you do not update to 3.4.2 or later, you will be stuck at the last
    ruleset with SHA-1 signatures. ***

Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.

Happy Birthday
--------------
Apache SpamAssassin turned 18 on September 5th, 2019.

Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
world's most popular email anti-spam platform. Apache SpamAssassin can be
used on a wide variety of email systems including Postfix, procmail, qmail,
sendmail, and more.

It serves as the spam-filtering and detection solution for numerous ISPs and
hosting providers, and is integrated in commercial software including Plesk,
cPanel, Vesta Control Panel, and many others.

SpamAssassin was originally created by Justin Mason, who had maintained a
number of patches against an earlier program named filter.plx by Mark
Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
from scratch and uploaded the resulting codebase to SourceForge on April 20,
2001. SpamAssassin entered the Apache Incubator in December 2003 and
graduated as an Apache Top-Level Project in June 2004.

Notable features:
=================

New plugins
-----------
There is 1 new plugin added with this release:

# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents
# outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro


This plugin is disabled by default. To enable, uncomment the loadplugin
configuration options in file v343.pre, or add it to some local .pre file
such as local.pre.

Notable changes
---------------

Safer and faster scanning of large emails using body_part_scan_size and
rawbody_part_scan_size settings.

New tflag "nosubject" for 'body' rules, to stop matching the Subject header
which is part of the body text.

Two CVE security bug fixes are included in this release:

  CVE-2019-12420 for Multipart Denial of Service Vulnerability

  CVE-2018-11805 for nefarious CF files can be configured to
  run system commands without any output or errors.

Security updates include deprecation of the unsafe sa-update '--allowplugins'
option, which now prints a warning that '--reallyallowplugins' is required
to use it.

New configuration options
-------------------------

A new subjprefix keyword used to add a prefix to the subject of the
email if a rule is matched.

A new template tag _SUBJPREFIX_ that maps to the subject prefix that
has been added by the subjprefix keyword.

A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
hits with duplicated rules collapsed.

A config option rbl_headers has been added to DNSEval plugin,
this option is used to specify in which headers check_rbl_headers
should check for content used to query the specified rbl.

A new check_rbl_ns_from function has been added to check
the dns server of the from addrs domain name against a specific rbl.

A new check_rbl_rcvd function has been added to check
all received headers domains or ip addresses against a
specific rbl.

New options has been added to check_hashbl_emails function
has been added; it is now possible to specify in which headers
the function should check for content used to query the
specified rbl and an acl to filter the email addresses the rule
should apply.

A new check_hashbl_bodyre function has been added, it is now possible
to search body for matching regexp and query the string captured
against the specified rbl.

A new check_hashbl_uris function has been added, it is now possible
to match uris in email's body and query the uris against the
specified rbl.

Notable Internal changes
------------------------

None noted.

Other updates
-------------

None noted.

Optimizations
-------------

None noted.


Downloading and availability
----------------------------

Downloads are available from:

https://spamassassin.apache.org/downloads.cgi

sha256sum of archive files:

  a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d  Mail-SpamAssassin-3.4.3.tar.bz2
  bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8  Mail-SpamAssassin-3.4.3.tar.gz
  3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86  Mail-SpamAssassin-3.4.3.zip
  d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9  Mail-SpamAssassin-rules-3.4.3.r1871124.tgz

sha512sum of archive files:

  4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0
 Mail-SpamAssassin-3.4.3.tar.bz2
  d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a
 Mail-SpamAssassin-3.4.3.tar.gz
  608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14
 Mail-SpamAssassin-3.4.3.zip
  2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f
 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz

Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.

See the INSTALL and UPGRADE files in the distribution for important
installation notes.


GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
https://www.apache.org/dist/spamassassin/KEYS



The following key is used to sign releases after, and including SA 3.3.0:

pub   4096R/F7D39814 2009-12-02
      Key fingerprint = D809 9BC7 9E17 D7E4 9BC2  1E31 FDE5 2F40 F7D3 9814
uid                  SpamAssassin Project Management Committee <private@spamassassin.apache.org>
uid                  SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B)
<dev@spamassassin.apache.org>
sub   4096R/7B3265A5 2009-12-02

The following key is used to sign rule updates:

pub   4096R/5244EC45 2005-12-20
      Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78  DFDC 4056 A61A 5244 EC45
uid                  updates.spamassassin.org Signing Key <release@spamassassin.org>
sub   4096R/24F434CE 2005-12-20

To verify a release file, download the file with the accompanying .asc
file and run the following commands:

  gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
  gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
  gpg --fingerprint F7D39814

Then verify that the key matches the signature.

Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.

See https://www.apache.org/info/verification.html for more information
on verifying Apache releases.


About Apache SpamAssassin
-------------------------

Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.

Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.

Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.

The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.

For more information, visit https://spamassassin.apache.org/


About The Apache Software Foundation
------------------------------------

Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.

For more information, visit https://www.apache.org/

##

-- 
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


Mime
View raw message