| To: users, dev, announce |
| Subject: ANNOUNCE: Apache SpamAssassin 3.4.2 available |
| |
| Release Notes -- Apache SpamAssassin -- Version 3.4.2 |
| |
| Introduction |
| ------------ |
| |
| Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the |
| past three and 1/2 years. As we release 3.4.2, we are preparing 4.0.0 which |
| will move us into a full UTF-8 environment. We expect one final 3.4.3 |
| release. |
| |
| As with any release there are a number of functional patches, improvements as |
| well as security reasons to upgrade to 3.4.2. In this case we have over 3 |
| years of issues being resolved at once. And we are laying thr groundwork for |
| version 4.0 which is is designed to more natively handle UTF-8. |
| |
| However, there is one specific pressing reason to upgrade. Specifically, we |
| will stop producing SHA-1 signatures for rule updates. This means that while |
| we produce rule updates with the focus on them working for any release from |
| v3.3.2 forward, they will start failing SHA-1 validation for sa-update. |
| |
| *** If you do not update to 3.4.2, you will be stuck at the last ruleset |
| with SHA-1 signatures in the near future. *** |
| |
| Many thanks to the committers, contributors, rule testers, mass checkers, |
| and code testers who have made this release possible. |
| |
| Thanks to David Jones for stepping up and helping us found our SpamAssassin |
| SysAdmin's group. |
| |
| And thanks to cPanel for helping making this release possible and contributing |
| to the continued development of SpamAssassin. Please visit support.cpanel.net |
| with any issues involving cPanel & WHM's integration with SpamAssassin. |
| |
| Notable features: |
| ================= |
| |
| New plugins |
| ----------- |
| There are four new plugins added with this release: |
| |
| Mail::SpamAssassin::Plugin::HashBL |
| |
| The HashBL plugin is the interface to The Email Blocklist (EBL). |
| The EBL is intended to filter spam that is sent from IP addresses |
| and domains that cannot be blocked without causing significant |
| numbers of false positives. |
| |
| Mail::SpamAssassin::Plugin::ResourceLimits |
| |
| This plugin leverages BSD::Resource to assure your spamd child processes |
| do not exceed specified CPU or memory limit. If this happens, the child |
| process will die. See the BSD::Resource for more details. |
| |
| Mail::SpamAssassin::Plugin::FromNameSpoof |
| |
| This plugin allows for detection of the From:name field being used to mislead |
| recipients into thinking an email is from another address. The man page |
| includes examples and we expect to put test rules for this plugin into |
| rulesrc soon! |
| |
| Mail::SpamAssassin::Plugin::Phishing |
| |
| This plugin finds uris used in phishing campaigns detected by |
| OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com) feeds. |
| |
| These plugins are disabled by default. To enable, uncomment |
| the loadplugin configuration options in file v342.pre, or add it to |
| some local .pre file such as local.pre . |
| |
| Notable changes |
| --------------- |
| |
| For security reasons SSLv3 support has been removed from spamc(1). |
| |
| The spamd(1) daemon now is faster to start, thanks to code optimizations. |
| |
| Four CVE security bug fixes are included in this release for PDFInfo.pm and |
| the SA core: |
| CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 |
| |
| In sa-update script, optional support for SHA-256 / SHA-512 in addition |
| to or instead of SHA1 has been added for better validation of rules. |
| See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for information |
| on the end of SHA-1 signatures which will be the end of rule updates for |
| releases prior to 3.4.2. |
| |
| Security updates include security improvements for TxRep, tmp file creation |
| was hardened, the group list and setuid is hardened for spamd workers, |
| eval tests have been hardened (Thanks to the cPanel Security Team!), |
| a bug in earlier Perl versions that caused URIs to be skipped has been |
| identified, and UTF-16 support is improved. |
| |
| GeoIP2 support has been added to RelayCountry and URILocalBL plugins due |
| to GeoIP legacy API deprecations. |
| |
| New configuration options |
| ------------------------- |
| |
| A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the 's' tag) |
| from valid signatures has been added. |
| |
| A 'uri_block_cont' option to URILocalBL plugin to score uris per continent has been added. |
| Possible continent codes are: |
| af, as, eu, na, oc, sa for Africa, Asia, Europe, North America, |
| Oceania and South America. |
| |
| The 'country_db_type' and 'country_db_path' options has been added to be able |
| to choose in RelayCountry plugin between GeoIP legacy |
| (discontinued from 04/01/2018), GeoIP2, IP::Country::Fast |
| and IP::Country::DB_File. |
| GeoIP legacy is still the default option but it will be deprecated |
| in future releases. |
| |
| A config option 'uri_country_db_path' has been added to be able to choose |
| in URILocalBL plugin between GeoIP legacy and new GeoIP2 api. |
| |
| A config option 'resource_limit_cpu' (default: 0 or no limit) has been added |
| to configure how many cpu cycles are allowed on a child process before it dies. |
| |
| A config option 'resource_limit_mem' (default: 0 or no limit) has been added |
| to configure the maximum number of bytes of memory allowed both for |
| (virtual) address space bytes and resident set size. |
| |
| A new config option 'report_wrap_width' (default: 70) has been added |
| to set the wrap width for description lines in the X-Spam-Report header. |
| |
| Notable Internal changes |
| ------------------------ |
| |
| SpamAssassin can cope with new Net::DNS module versions. |
| The "bytes" pragma has been remove from both core modules and plugins for |
| better utf-8 compatibility, there has been also some other utf-8 related fixes. |
| The spamc(1) client can now be build against OpenSSL 1.1.0. |
| The test framework has been switched to Test::More module. |
| |
| Other updates |
| ------------- |
| |
| Documentation was updated or enhanced. Project's testing and evaluation |
| hosts and tools running on the ASF infrastructure were updated. |
| |
| A list of top-level domains in registrar boundaries was updated. |
| |
| Optimizations |
| ------------- |
| |
| Faster startup of the SpamAssassin daemon. |
| Spamc client now correctly free(3) all the memory it uses. |
| |
| Downloading and availability |
| ---------------------------- |
| |
| Downloads are available from: |
| |
| https://spamassassin.apache.org/downloads.cgi |
| |
| sha256sum of archive files: |
| |
| cf03045a4991752145eed007e75737f3e4c7f34cf225db411ce3fd359280e8da Mail-SpamAssassin-3.4.2.tar.bz2 |
| 8a1c139ee08f140d3d3fdf13e03d98cf68a5cae27a082c4a614d154565a3c34f Mail-SpamAssassin-3.4.2.tar.gz |
| c76841929fa53cf0adeb924797195c66da207ab6739553fd62634f94f2dcd875 Mail-SpamAssassin-3.4.2.zip |
| 8d481a2081f1e62a2579238f66b58d2124f7a2e9f3cfa3d4aa2b03fe7b0199bb Mail-SpamAssassin-rules-3.4.2.r1840640.tgz |
| |
| sha512sum of archive files: |
| |
| fe3d9d1d7b9fed3063549afd071066729f1f4d998be91ded1e5afc29bb37c7a298dc5f8f99a282b75435d317b5b5072a81393134ccfe059a73d953e26a9c3885 Mail-SpamAssassin-3.4.2.tar.bz2 |
| 85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f Mail-SpamAssassin-3.4.2.tar.gz |
| 9545c1cd55c31f23ba8f8421f78306657a068004a27cab8cd094eb9bc7c8d94cdb4803089318f2c0cefb9b817fa3f1cfb7cb817913027c0c93b5d639937ee05c Mail-SpamAssassin-3.4.2.zip |
| 38b5f4dc6e6776937e787123c265ecd9a0a2f60aca1b57d6ed4a8f78cf81550478eddd0829b1255e9e8ce64421e06cc13ae82f1a597e893b65f0d07ba8c53a7f Mail-SpamAssassin-rules-3.4.2.r1840640.tgz |
| |
| Note that the *-rules-*.tgz files are only necessary if you cannot, |
| or do not wish to, run "sa-update" after install to download the latest |
| fresh rules. |
| |
| See the INSTALL and UPGRADE files in the distribution for important |
| installation notes. |
| |
| |
| GPG Verification Procedure |
| -------------------------- |
| The release files also have a .asc accompanying them. The file serves |
| as an external GPG signature for the given release file. The signing |
| key is available via the wwwkeys.pgp.net key server, as well as |
| https://www.apache.org/dist/spamassassin/KEYS |
| |
| The key information is: |
| |
| pub 4096R/F7D39814 2009-12-02 |
| Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 |
| uid SpamAssassin Project Management Committee <private@spamassassin.apache.org> |
| uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <dev@spamassassin.apache.org> |
| sub 4096R/7B3265A5 2009-12-02 |
| |
| To verify a release file, download the file with the accompanying .asc |
| file and run the following commands: |
| |
| gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814 |
| gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc |
| gpg --fingerprint F7D39814 |
| |
| Then verify that the key matches the signature. |
| |
| Note that older versions of gnupg may not be able to complete the steps |
| above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 |
| worked flawlessly. |
| |
| See https://www.apache.org/info/verification.html for more information |
| on verifying Apache releases. |
| |
| |
| About Apache SpamAssassin |
| ------------------------- |
| |
| Apache SpamAssassin is a mature, widely-deployed open source project |
| that serves as a mail filter to identify spam. SpamAssassin uses a |
| variety of mechanisms including mail header and text analysis, Bayesian |
| filtering, DNS blocklists, and collaborative filtering databases. In |
| addition, Apache SpamAssassin has a modular architecture that allows |
| other technologies to be quickly incorporated as an addition or as a |
| replacement for existing methods. |
| |
| Apache SpamAssassin typically runs on a server, classifies and labels |
| spam before it reaches your mailbox, while allowing other components of |
| a mail system to act on its results. |
| |
| Most of the Apache SpamAssassin is written in Perl, with heavily |
| traversed code paths carefully optimized. Benefits are portability, |
| robustness and facilitated maintenance. It can run on a wide variety of |
| POSIX platforms. |
| |
| The server and the Perl library feels at home on Unix and Linux platforms |
| and reportedly also works on MS Windows systems under ActivePerl. |
| |
| For more information, visit https://spamassassin.apache.org/ |
| |
| |
| About The Apache Software Foundation |
| ------------------------------------ |
| |
| Established in 1999, The Apache Software Foundation provides |
| organizational, legal, and financial support for more than 100 |
| freely-available, collaboratively-developed Open Source projects. The |
| pragmatic Apache License enables individual and commercial users to |
| easily deploy Apache software; the Foundation's intellectual property |
| framework limits the legal exposure of its 2,500+ contributors. |
| |
| For more information, visit https://www.apache.org/ |