| From: <your@apache.org address here> |
| To: <your@apache.org address here> |
| Bcc: users@spamassassin.apache.org, dev@spamassassin.apache.org, announce@spamassassin.apache.org, announce@apache.org |
| Reply-to: dev@spamassassin.apache.org |
| Subject: ANNOUNCE: Apache SpamAssassin 3.4.3 available |
| |
| Release Notes -- Apache SpamAssassin -- Version 3.4.3 |
| |
| Introduction |
| ------------ |
| |
| Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we |
| prepare to move to version 4.0.0 with better, native UTF-8 handling. |
| |
| There are a number of functional patches, improvements as well as security |
| reasons to upgrade to 3.4.3. In this release, there are bug fixes for two |
| CVEs. |
| |
| *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures. |
| If you do not update to 3.4.2 or later, you will be stuck at the last |
| ruleset with SHA-1 signatures. *** |
| |
| Many thanks to the committers, contributors, rule testers, mass checkers, |
| and code testers who have made this release possible. |
| |
| Happy Birthday |
| -------------- |
| Apache SpamAssassin turned 18 on September 5th, 2019. |
| |
| Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the |
| world's most popular email anti-spam platform. Apache SpamAssassin can be |
| used on a wide variety of email systems including Postfix, procmail, qmail, |
| sendmail, and more. |
| |
| It serves as the spam-filtering and detection solution for numerous ISPs and |
| hosting providers, and is integrated in commercial software including Plesk, |
| cPanel, Vesta Control Panel, and many others. |
| |
| SpamAssassin was originally created by Justin Mason, who had maintained a |
| number of patches against an earlier program named filter.plx by Mark |
| Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code |
| from scratch and uploaded the resulting codebase to SourceForge on April 20, |
| 2001. SpamAssassin entered the Apache Incubator in December 2003 and |
| graduated as an Apache Top-Level Project in June 2004. |
| |
| Notable features: |
| ================= |
| |
| New plugins |
| ----------- |
| There is 1 new plugin added with this release: |
| |
| # OLEVBMacro - Detects both OLE macros and VB code inside Office documents |
| # |
| # It tries to discern between safe and malicious code but due to the threat |
| # macros present to security, many places block these type of documents |
| # outright. |
| # |
| # For this plugin to work, Archive::Zip and IO::String modules are required. |
| # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro |
| |
| |
| This plugin is disabled by default. To enable, uncomment the loadplugin |
| configuration options in file v343.pre, or add it to some local .pre file |
| such as local.pre. |
| |
| Notable changes |
| --------------- |
| |
| Safer and faster scanning of large emails using body_part_scan_size and |
| rawbody_part_scan_size settings. |
| |
| New tflag "nosubject" for 'body' rules, to stop matching the Subject header |
| which is part of the body text. |
| |
| Two CVE security bug fixes are included in this release: |
| |
| CVE-2019-12420 for Multipart Denial of Service Vulnerability |
| |
| CVE-2018-11805 for nefarious CF files can be configured to |
| run system commands without any output or errors. |
| |
| Security updates include deprecation of the unsafe sa-update '--allowplugins' |
| option, which now prints a warning that '--reallyallowplugins' is required |
| to use it. |
| |
| New configuration options |
| ------------------------- |
| |
| A new subjprefix keyword used to add a prefix to the subject of the |
| email if a rule is matched. |
| |
| A new template tag _SUBJPREFIX_ that maps to the subject prefix that |
| has been added by the subjprefix keyword. |
| |
| A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that |
| hits with duplicated rules collapsed. |
| |
| A config option rbl_headers has been added to DNSEval plugin, |
| this option is used to specify in which headers check_rbl_headers |
| should check for content used to query the specified rbl. |
| |
| A new check_rbl_ns_from function has been added to check |
| the dns server of the from addrs domain name against a specific rbl. |
| |
| A new check_rbl_rcvd function has been added to check |
| all received headers domains or ip addresses against a |
| specific rbl. |
| |
| New options has been added to check_hashbl_emails function |
| has been added; it is now possible to specify in which headers |
| the function should check for content used to query the |
| specified rbl and an acl to filter the email addresses the rule |
| should apply. |
| |
| A new check_hashbl_bodyre function has been added, it is now possible |
| to search body for matching regexp and query the string captured |
| against the specified rbl. |
| |
| A new check_hashbl_uris function has been added, it is now possible |
| to match uris in email's body and query the uris against the |
| specified rbl. |
| |
| Notable Internal changes |
| ------------------------ |
| |
| None noted. |
| |
| Other updates |
| ------------- |
| |
| None noted. |
| |
| Optimizations |
| ------------- |
| |
| None noted. |
| |
| |
| Downloading and availability |
| ---------------------------- |
| |
| Downloads are available from: |
| |
| https://spamassassin.apache.org/downloads.cgi |
| |
| sha256sum of archive files: |
| |
| a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2 |
| bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz |
| 3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 Mail-SpamAssassin-3.4.3.zip |
| d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz |
| |
| sha512sum of archive files: |
| |
| 4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 Mail-SpamAssassin-3.4.3.tar.bz2 |
| d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz |
| 608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 Mail-SpamAssassin-3.4.3.zip |
| 2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f Mail-SpamAssassin-rules-3.4.3.r1871124.tgz |
| |
| Note that the *-rules-*.tgz files are only necessary if you cannot, |
| or do not wish to, run "sa-update" after install to download the latest |
| fresh rules. |
| |
| See the INSTALL and UPGRADE files in the distribution for important |
| installation notes. |
| |
| |
| GPG Verification Procedure |
| -------------------------- |
| The release files also have a .asc accompanying them. The file serves |
| as an external GPG signature for the given release file. The signing |
| key is available via the wwwkeys.pgp.net key server, as well as |
| https://www.apache.org/dist/spamassassin/KEYS |
| |
| |
| |
| The following key is used to sign releases after, and including SA 3.3.0: |
| |
| pub 4096R/F7D39814 2009-12-02 |
| Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 |
| uid SpamAssassin Project Management Committee <private@spamassassin.apache.org> |
| uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <dev@spamassassin.apache.org> |
| sub 4096R/7B3265A5 2009-12-02 |
| |
| The following key is used to sign rule updates: |
| |
| pub 4096R/5244EC45 2005-12-20 |
| Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45 |
| uid updates.spamassassin.org Signing Key <release@spamassassin.org> |
| sub 4096R/24F434CE 2005-12-20 |
| |
| To verify a release file, download the file with the accompanying .asc |
| file and run the following commands: |
| |
| gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814 |
| gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc |
| gpg --fingerprint F7D39814 |
| |
| Then verify that the key matches the signature. |
| |
| Note that older versions of gnupg may not be able to complete the steps |
| above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 |
| worked flawlessly. |
| |
| See https://www.apache.org/info/verification.html for more information |
| on verifying Apache releases. |
| |
| |
| About Apache SpamAssassin |
| ------------------------- |
| |
| Apache SpamAssassin is a mature, widely-deployed open source project |
| that serves as a mail filter to identify spam. SpamAssassin uses a |
| variety of mechanisms including mail header and text analysis, Bayesian |
| filtering, DNS blocklists, and collaborative filtering databases. In |
| addition, Apache SpamAssassin has a modular architecture that allows |
| other technologies to be quickly incorporated as an addition or as a |
| replacement for existing methods. |
| |
| Apache SpamAssassin typically runs on a server, classifies and labels |
| spam before it reaches your mailbox, while allowing other components of |
| a mail system to act on its results. |
| |
| Most of the Apache SpamAssassin is written in Perl, with heavily |
| traversed code paths carefully optimized. Benefits are portability, |
| robustness and facilitated maintenance. It can run on a wide variety of |
| POSIX platforms. |
| |
| The server and the Perl library feels at home on Unix and Linux platforms |
| and reportedly also works on MS Windows systems under ActivePerl. |
| |
| For more information, visit https://spamassassin.apache.org/ |
| |
| |
| About The Apache Software Foundation |
| ------------------------------------ |
| |
| Established in 1999, The Apache Software Foundation provides |
| organizational, legal, and financial support for more than 100 |
| freely-available, collaboratively-developed Open Source projects. The |
| pragmatic Apache License enables individual and commercial users to |
| easily deploy Apache software; the Foundation's intellectual property |
| framework limits the legal exposure of its 2,500+ contributors. |
| |
| For more information, visit https://www.apache.org/ |