Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

I'd like to remind everyone to not use --nogpg option for sa-update, especially if you keep using older vulnerable SA versions. There are many bad scripts and examples found with Google that use it for no real reason. If you use some third party channel that does not PGP sign their rules, might

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Thu, 30 Jan 2020 11:00:32 +0100 Matus UHLAR - fantomas wrote: I use debian, and it uses GPG signatures. so I understand that sha-1 issue even less... On 1/30/2020 9:54 AM, RW wrote: It was a matter of Apache policy as I understand it. There were no security implications at all. Even if i

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

Key to the issue is I fail to see how the highly intrusive security work done for 3.4.3 can possibly be backported.  On 30.01.20 16:31, Damian wrote: The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are roughly 100kb in size. wow, I wonder if they are only to fix those two

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Thu, 2020-01-30 at 15:05 -0800, John Hardin wrote: > On Thu, 30 Jan 2020, Matus UHLAR - fantomas wrote: > > > > > On 29.01.20 15:21, Kevin A. McGrail wrote: > > > > > Correct, it's a policy issue. ASF Projects must stop > > > > > providing SHA-1 > > > > > signatures and we negotiated that dead

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Thu, 30 Jan 2020, Matus UHLAR - fantomas wrote: On 29.01.20 15:21, Kevin A. McGrail wrote: >Correct, it's a policy issue. ASF Projects must stop providing SHA-1 >signatures and we negotiated that deadline. On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote: do you mea

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

> Key to the issue is I fail to see how the highly intrusive security work > done for 3.4.3 can possibly be backported.  The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are roughly 100kb in size.

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

Kevin A. McGrail schrieb am 29.01.2020 um 20:12:   - Fix for CRLF handling with SpamAssMilter & DKIM Sorry that I didn't check and write about rc1, but I can confirm that for me, valid DKIM signatures are again detected as valid with the released 3.4.4. Many thanks! Alex

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On 1/30/2020 9:54 AM, RW wrote: > On Thu, 30 Jan 2020 11:00:32 +0100 > Matus UHLAR - fantomas wrote: > On 29.01.20 15:21, Kevin A. McGrail wrote: >> I use debian, and it uses GPG signatures. so I understand that sha-1 >> issue even less... > It was a matter of Apache policy as I understand

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Thu, 30 Jan 2020 11:00:32 +0100 Matus UHLAR - fantomas wrote: > >> On 29.01.20 15:21, Kevin A. McGrail wrote: > I use debian, and it uses GPG signatures. so I understand that sha-1 > issue even less... It was a matter of Apache policy as I understand it. There were no security implications

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

> I use debian, and it uses GPG signatures.  so I understand that sha-1 > issue even less Which release do you worry about? Even oldoldstable is at 3.4.2, which should be fine according to > If you do not update to 3.4.2 or later, you will be stuck at the last > ruleset with SHA-1 signatures.

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Thu, Jan 30, 2020 at 11:00:32AM +0100, Matus UHLAR - fantomas wrote: > >>On 29.01.20 15:21, Kevin A. McGrail wrote: > >>>Correct, it's a policy issue. ASF Projects must stop providing SHA-1 > >>>signatures and we negotiated that deadline. > > >On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UH

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On 29.01.20 15:21, Kevin A. McGrail wrote: >Correct, it's a policy issue. ASF Projects must stop providing SHA-1 >signatures and we negotiated that deadline. On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote: do you mean, not having updates is better than using sha-1? O

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote: > On 29.01.20 15:21, Kevin A. McGrail wrote: > >Correct, it's a policy issue. ASF Projects must stop providing SHA-1 > >signatures and we negotiated that deadline. > > do you mean, not having updates is better than using sha-

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On 29.01.20 15:21, Kevin A. McGrail wrote: Correct, it's a policy issue. ASF Projects must stop providing SHA-1 signatures and we negotiated that deadline. do you mean, not having updates is better than using sha-1? wouldn't clients supporting sha256 still use those over sha-1 or do you expec

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

Correct, it's a policy issue. ASF Projects must stop providing SHA-1 signatures and we negotiated that deadline. Regards, KAM -- Kevin A. McGrail Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Wed, Jan 29, 2020

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On Wed, 29 Jan 2020, Matus UHLAR - fantomas wrote: On 29.01.20 14:12, Kevin A. McGrail wrote: On behalf of the Apache SpamAssassin Project, I am pleased to announce version 3.4.4 is available. Release Notes -- Apache SpamAssassin -- Version 3.4.4 Introduction Apache SpamAssassin

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

On 29.01.20 14:12, Kevin A. McGrail wrote: On behalf of the Apache SpamAssassin Project, I am pleased to announce version 3.4.4 is available. Release Notes -- Apache SpamAssassin -- Version 3.4.4 Introduction Apache SpamAssassin 3.4.4 is primarily a security release. In this rele