build/announcements/3.4.2.txt - spamassassin - Git at Google

 To: users, dev, announce
 Subject: ANNOUNCE: Apache SpamAssassin 3.4.2 available

 Release Notes -- Apache SpamAssassin -- Version 3.4.2

 Introduction
 ------------

 Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the
 past three and 1/2 years.  As we release 3.4.2, we are preparing 4.0.0 which
 will move us into a full UTF-8 environment.  We expect one final 3.4.3
 release.

 As with any release there are a number of functional patches, improvements as
 well as security reasons to upgrade to 3.4.2.  In this case we have over 3
 years of issues being resolved at once.  And we are laying thr groundwork for
 version 4.0 which is is designed to more natively handle UTF-8.

 However, there is one specific pressing reason to upgrade.  Specifically, we
 will stop producing SHA-1 signatures for rule updates.  This means that while
 we produce rule updates with the focus on them working for any release from
 v3.3.2 forward, they will start failing SHA-1 validation for sa-update.

 *** If you do not update to 3.4.2, you will be stuck at the last ruleset
     with SHA-1 signatures in the near future. ***

 Many thanks to the committers, contributors, rule testers, mass checkers,
 and code testers who have made this release possible.

 Thanks to David Jones for stepping up and helping us found our SpamAssassin
 SysAdmin's group.

 And thanks to cPanel for helping making this release possible and contributing
 to the continued development of SpamAssassin.  Please visit support.cpanel.net
 with any issues involving cPanel & WHM's integration with SpamAssassin.

 Notable features:
 =================

 New plugins
 -----------
 There are four new plugins added with this release:

   Mail::SpamAssassin::Plugin::HashBL

 The HashBL plugin is the interface to The Email Blocklist (EBL).
 The EBL is intended to filter spam that is sent from IP addresses
 and domains that cannot be blocked without causing significant
 numbers of false positives.

   Mail::SpamAssassin::Plugin::ResourceLimits

 This plugin leverages BSD::Resource to assure your spamd child processes
 do not exceed specified CPU or memory limit. If this happens, the child
 process will die. See the BSD::Resource for more details.

   Mail::SpamAssassin::Plugin::FromNameSpoof

 This plugin allows for detection of the From:name field being used to mislead
 recipients into thinking an email is from another address.  The man page
 includes examples and we expect to put test rules for this plugin into
 rulesrc soon!

   Mail::SpamAssassin::Plugin::Phishing

 This plugin finds uris used in phishing campaigns detected by
 OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com) feeds.

 These plugins are disabled by default. To enable, uncomment
 the loadplugin configuration options in file v342.pre, or add it to
 some local .pre file such as local.pre .

 Notable changes
 ---------------

 For security reasons SSLv3 support has been removed from spamc(1).

 The spamd(1) daemon now is faster to start, thanks to code optimizations.

 Four CVE security bug fixes are included in this release for PDFInfo.pm and
 the SA core:
  CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

 In sa-update script, optional support for SHA-256 / SHA-512 in addition
 to or instead of SHA1 has been added for better validation of rules.
 See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for information
 on the end of SHA-1 signatures which will be the end of rule updates for
 releases prior to 3.4.2.

 Security updates include security improvements for TxRep, tmp file creation
 was hardened, the group list and setuid is hardened for spamd workers,
 eval tests have been hardened (Thanks to the cPanel Security Team!),
 a bug in earlier Perl versions that caused URIs to be skipped has been
 identified, and UTF-16 support is improved.

 GeoIP2 support has been added to RelayCountry and URILocalBL plugins due
 to GeoIP legacy API deprecations.

 New configuration options
 -------------------------

 A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the 's' tag)
 from valid signatures has been added.

 A 'uri_block_cont' option to URILocalBL plugin to score uris per continent has been added.
 Possible continent codes are:
 af, as, eu, na, oc, sa for Africa, Asia, Europe, North America,
 Oceania and South America.

 The 'country_db_type' and 'country_db_path' options has been added to be able
 to choose in RelayCountry plugin between GeoIP legacy
 (discontinued from 04/01/2018), GeoIP2, IP::Country::Fast
 and IP::Country::DB_File.
 GeoIP legacy is still the default option but it will be deprecated
 in future releases.

 A config option 'uri_country_db_path' has been added to be able to choose
 in URILocalBL plugin between GeoIP legacy and new GeoIP2 api.

 A config option 'resource_limit_cpu' (default: 0 or no limit) has been added
 to configure how many cpu cycles are allowed on a child process before it dies.

 A config option 'resource_limit_mem' (default: 0 or no limit) has been added
 to configure the maximum number of bytes of memory allowed both for
 (virtual) address space bytes and resident set size.

 A new config option 'report_wrap_width' (default: 70) has been added
 to set the wrap width for description lines in the X-Spam-Report header.

 Notable Internal changes
 ------------------------

 SpamAssassin can cope with new Net::DNS module versions.
 The "bytes" pragma has been remove from both core modules and plugins for
 better utf-8 compatibility, there has been also some other utf-8 related fixes.
 The spamc(1) client can now be build against OpenSSL 1.1.0.
 The test framework has been switched to Test::More module.

 Other updates
 -------------

 Documentation was updated or enhanced. Project's testing and evaluation
 hosts and tools running on the ASF infrastructure were updated.

 A list of top-level domains in registrar boundaries was updated.

 Optimizations
 -------------

 Faster startup of the SpamAssassin daemon.
 Spamc client now correctly free(3) all the memory it uses.

 Downloading and availability
 ----------------------------

 Downloads are available from:

 https://spamassassin.apache.org/downloads.cgi

 sha256sum of archive files:

   cf03045a4991752145eed007e75737f3e4c7f34cf225db411ce3fd359280e8da  Mail-SpamAssassin-3.4.2.tar.bz2
   8a1c139ee08f140d3d3fdf13e03d98cf68a5cae27a082c4a614d154565a3c34f  Mail-SpamAssassin-3.4.2.tar.gz
   c76841929fa53cf0adeb924797195c66da207ab6739553fd62634f94f2dcd875  Mail-SpamAssassin-3.4.2.zip
   8d481a2081f1e62a2579238f66b58d2124f7a2e9f3cfa3d4aa2b03fe7b0199bb  Mail-SpamAssassin-rules-3.4.2.r1840640.tgz

 sha512sum of archive files:

   fe3d9d1d7b9fed3063549afd071066729f1f4d998be91ded1e5afc29bb37c7a298dc5f8f99a282b75435d317b5b5072a81393134ccfe059a73d953e26a9c3885  Mail-SpamAssassin-3.4.2.tar.bz2
   85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f  Mail-SpamAssassin-3.4.2.tar.gz
   9545c1cd55c31f23ba8f8421f78306657a068004a27cab8cd094eb9bc7c8d94cdb4803089318f2c0cefb9b817fa3f1cfb7cb817913027c0c93b5d639937ee05c  Mail-SpamAssassin-3.4.2.zip
   38b5f4dc6e6776937e787123c265ecd9a0a2f60aca1b57d6ed4a8f78cf81550478eddd0829b1255e9e8ce64421e06cc13ae82f1a597e893b65f0d07ba8c53a7f  Mail-SpamAssassin-rules-3.4.2.r1840640.tgz

 Note that the *-rules-*.tgz files are only necessary if you cannot,
 or do not wish to, run "sa-update" after install to download the latest
 fresh rules.

 See the INSTALL and UPGRADE files in the distribution for important
 installation notes.


 GPG Verification Procedure
 --------------------------
 The release files also have a .asc accompanying them.  The file serves
 as an external GPG signature for the given release file.  The signing
 key is available via the wwwkeys.pgp.net key server, as well as
 https://www.apache.org/dist/spamassassin/KEYS

 The key information is:

 pub   4096R/F7D39814 2009-12-02
        Key fingerprint = D809 9BC7 9E17 D7E4 9BC2  1E31 FDE5 2F40 F7D3 9814
 uid                  SpamAssassin Project Management Committee <private@spamassassin.apache.org>
 uid                  SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <dev@spamassassin.apache.org>
 sub   4096R/7B3265A5 2009-12-02

 To verify a release file, download the file with the accompanying .asc
 file and run the following commands:

   gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
   gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc
   gpg --fingerprint F7D39814

 Then verify that the key matches the signature.

 Note that older versions of gnupg may not be able to complete the steps
 above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
 worked flawlessly.

 See https://www.apache.org/info/verification.html for more information
 on verifying Apache releases.


 About Apache SpamAssassin
 -------------------------

 Apache SpamAssassin is a mature, widely-deployed open source project
 that serves as a mail filter to identify spam. SpamAssassin uses a
 variety of mechanisms including mail header and text analysis, Bayesian
 filtering, DNS blocklists, and collaborative filtering databases. In
 addition, Apache SpamAssassin has a modular architecture that allows
 other technologies to be quickly incorporated as an addition or as a
 replacement for existing methods.

 Apache SpamAssassin typically runs on a server, classifies and labels
 spam before it reaches your mailbox, while allowing other components of
 a mail system to act on its results.

 Most of the Apache SpamAssassin is written in Perl, with heavily
 traversed code paths carefully optimized. Benefits are portability,
 robustness and facilitated maintenance. It can run on a wide variety of
 POSIX platforms.

 The server and the Perl library feels at home on Unix and Linux platforms
 and reportedly also works on MS Windows systems under ActivePerl.

 For more information, visit https://spamassassin.apache.org/


 About The Apache Software Foundation
 ------------------------------------

 Established in 1999, The Apache Software Foundation provides
 organizational, legal, and financial support for more than 100
 freely-available, collaboratively-developed Open Source projects. The
 pragmatic Apache License enables individual and commercial users to
 easily deploy Apache software; the Foundation's intellectual property
 framework limits the legal exposure of its 2,500+ contributors.

 For more information, visit https://www.apache.org/
	To: users, dev, announce
	Subject: ANNOUNCE: Apache SpamAssassin 3.4.2 available

	Release Notes -- Apache SpamAssassin -- Version 3.4.2

	Introduction
	------------

	Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the
	past three and 1/2 years. As we release 3.4.2, we are preparing 4.0.0 which
	will move us into a full UTF-8 environment. We expect one final 3.4.3
	release.

	As with any release there are a number of functional patches, improvements as
	well as security reasons to upgrade to 3.4.2. In this case we have over 3
	years of issues being resolved at once. And we are laying thr groundwork for
	version 4.0 which is is designed to more natively handle UTF-8.

	However, there is one specific pressing reason to upgrade. Specifically, we
	will stop producing SHA-1 signatures for rule updates. This means that while
	we produce rule updates with the focus on them working for any release from
	v3.3.2 forward, they will start failing SHA-1 validation for sa-update.

	*** If you do not update to 3.4.2, you will be stuck at the last ruleset
	with SHA-1 signatures in the near future. ***

	Many thanks to the committers, contributors, rule testers, mass checkers,
	and code testers who have made this release possible.

	Thanks to David Jones for stepping up and helping us found our SpamAssassin
	SysAdmin's group.

	And thanks to cPanel for helping making this release possible and contributing
	to the continued development of SpamAssassin. Please visit support.cpanel.net
	with any issues involving cPanel & WHM's integration with SpamAssassin.

	Notable features:
	=================

	New plugins
	-----------
	There are four new plugins added with this release:

	Mail::SpamAssassin::Plugin::HashBL

	The HashBL plugin is the interface to The Email Blocklist (EBL).
	The EBL is intended to filter spam that is sent from IP addresses
	and domains that cannot be blocked without causing significant
	numbers of false positives.

	Mail::SpamAssassin::Plugin::ResourceLimits

	This plugin leverages BSD::Resource to assure your spamd child processes
	do not exceed specified CPU or memory limit. If this happens, the child
	process will die. See the BSD::Resource for more details.

	Mail::SpamAssassin::Plugin::FromNameSpoof

	This plugin allows for detection of the From:name field being used to mislead
	recipients into thinking an email is from another address. The man page
	includes examples and we expect to put test rules for this plugin into
	rulesrc soon!

	Mail::SpamAssassin::Plugin::Phishing

	This plugin finds uris used in phishing campaigns detected by
	OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com) feeds.

	These plugins are disabled by default. To enable, uncomment
	the loadplugin configuration options in file v342.pre, or add it to
	some local .pre file such as local.pre .

	Notable changes
	---------------

	For security reasons SSLv3 support has been removed from spamc(1).

	The spamd(1) daemon now is faster to start, thanks to code optimizations.

	Four CVE security bug fixes are included in this release for PDFInfo.pm and
	the SA core:
	CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

	In sa-update script, optional support for SHA-256 / SHA-512 in addition
	to or instead of SHA1 has been added for better validation of rules.
	See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for information
	on the end of SHA-1 signatures which will be the end of rule updates for
	releases prior to 3.4.2.

	Security updates include security improvements for TxRep, tmp file creation
	was hardened, the group list and setuid is hardened for spamd workers,
	eval tests have been hardened (Thanks to the cPanel Security Team!),
	a bug in earlier Perl versions that caused URIs to be skipped has been
	identified, and UTF-16 support is improved.

	GeoIP2 support has been added to RelayCountry and URILocalBL plugins due
	to GeoIP legacy API deprecations.

	New configuration options
	-------------------------

	A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the 's' tag)
	from valid signatures has been added.

	A 'uri_block_cont' option to URILocalBL plugin to score uris per continent has been added.
	Possible continent codes are:
	af, as, eu, na, oc, sa for Africa, Asia, Europe, North America,
	Oceania and South America.

	The 'country_db_type' and 'country_db_path' options has been added to be able
	to choose in RelayCountry plugin between GeoIP legacy
	(discontinued from 04/01/2018), GeoIP2, IP::Country::Fast
	and IP::Country::DB_File.
	GeoIP legacy is still the default option but it will be deprecated
	in future releases.

	A config option 'uri_country_db_path' has been added to be able to choose
	in URILocalBL plugin between GeoIP legacy and new GeoIP2 api.

	A config option 'resource_limit_cpu' (default: 0 or no limit) has been added
	to configure how many cpu cycles are allowed on a child process before it dies.

	A config option 'resource_limit_mem' (default: 0 or no limit) has been added
	to configure the maximum number of bytes of memory allowed both for
	(virtual) address space bytes and resident set size.

	A new config option 'report_wrap_width' (default: 70) has been added
	to set the wrap width for description lines in the X-Spam-Report header.

	Notable Internal changes
	------------------------

	SpamAssassin can cope with new Net::DNS module versions.
	The "bytes" pragma has been remove from both core modules and plugins for
	better utf-8 compatibility, there has been also some other utf-8 related fixes.
	The spamc(1) client can now be build against OpenSSL 1.1.0.
	The test framework has been switched to Test::More module.

	Other updates
	-------------

	Documentation was updated or enhanced. Project's testing and evaluation
	hosts and tools running on the ASF infrastructure were updated.

	A list of top-level domains in registrar boundaries was updated.

	Optimizations
	-------------

	Faster startup of the SpamAssassin daemon.
	Spamc client now correctly free(3) all the memory it uses.

	Downloading and availability
	----------------------------

	Downloads are available from:

	https://spamassassin.apache.org/downloads.cgi

	sha256sum of archive files:

	cf03045a4991752145eed007e75737f3e4c7f34cf225db411ce3fd359280e8da Mail-SpamAssassin-3.4.2.tar.bz2
	8a1c139ee08f140d3d3fdf13e03d98cf68a5cae27a082c4a614d154565a3c34f Mail-SpamAssassin-3.4.2.tar.gz
	c76841929fa53cf0adeb924797195c66da207ab6739553fd62634f94f2dcd875 Mail-SpamAssassin-3.4.2.zip
	8d481a2081f1e62a2579238f66b58d2124f7a2e9f3cfa3d4aa2b03fe7b0199bb Mail-SpamAssassin-rules-3.4.2.r1840640.tgz

	sha512sum of archive files:

	fe3d9d1d7b9fed3063549afd071066729f1f4d998be91ded1e5afc29bb37c7a298dc5f8f99a282b75435d317b5b5072a81393134ccfe059a73d953e26a9c3885 Mail-SpamAssassin-3.4.2.tar.bz2
	85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f Mail-SpamAssassin-3.4.2.tar.gz
	9545c1cd55c31f23ba8f8421f78306657a068004a27cab8cd094eb9bc7c8d94cdb4803089318f2c0cefb9b817fa3f1cfb7cb817913027c0c93b5d639937ee05c Mail-SpamAssassin-3.4.2.zip
	38b5f4dc6e6776937e787123c265ecd9a0a2f60aca1b57d6ed4a8f78cf81550478eddd0829b1255e9e8ce64421e06cc13ae82f1a597e893b65f0d07ba8c53a7f Mail-SpamAssassin-rules-3.4.2.r1840640.tgz

	Note that the -rules-.tgz files are only necessary if you cannot,
	or do not wish to, run "sa-update" after install to download the latest
	fresh rules.

	See the INSTALL and UPGRADE files in the distribution for important
	installation notes.


	GPG Verification Procedure
	--------------------------
	The release files also have a .asc accompanying them. The file serves
	as an external GPG signature for the given release file. The signing
	key is available via the wwwkeys.pgp.net key server, as well as
	https://www.apache.org/dist/spamassassin/KEYS

	The key information is:

	pub 4096R/F7D39814 2009-12-02
	Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
	uid SpamAssassin Project Management Committee <private@spamassassin.apache.org>
	uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <dev@spamassassin.apache.org>
	sub 4096R/7B3265A5 2009-12-02

	To verify a release file, download the file with the accompanying .asc
	file and run the following commands:

	gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
	gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc
	gpg --fingerprint F7D39814

	Then verify that the key matches the signature.

	Note that older versions of gnupg may not be able to complete the steps
	above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
	worked flawlessly.

	See https://www.apache.org/info/verification.html for more information
	on verifying Apache releases.


	About Apache SpamAssassin
	-------------------------

	Apache SpamAssassin is a mature, widely-deployed open source project
	that serves as a mail filter to identify spam. SpamAssassin uses a
	variety of mechanisms including mail header and text analysis, Bayesian
	filtering, DNS blocklists, and collaborative filtering databases. In
	addition, Apache SpamAssassin has a modular architecture that allows
	other technologies to be quickly incorporated as an addition or as a
	replacement for existing methods.

	Apache SpamAssassin typically runs on a server, classifies and labels
	spam before it reaches your mailbox, while allowing other components of
	a mail system to act on its results.

	Most of the Apache SpamAssassin is written in Perl, with heavily
	traversed code paths carefully optimized. Benefits are portability,
	robustness and facilitated maintenance. It can run on a wide variety of
	POSIX platforms.

	The server and the Perl library feels at home on Unix and Linux platforms
	and reportedly also works on MS Windows systems under ActivePerl.

	For more information, visit https://spamassassin.apache.org/


	About The Apache Software Foundation
	------------------------------------

	Established in 1999, The Apache Software Foundation provides
	organizational, legal, and financial support for more than 100
	freely-available, collaboratively-developed Open Source projects. The
	pragmatic Apache License enables individual and commercial users to
	easily deploy Apache software; the Foundation's intellectual property
	framework limits the legal exposure of its 2,500+ contributors.

	For more information, visit https://www.apache.org/