Hello all, The Apache SpamAssassin 3.4.2 release candidate 1 files are available at http://talon2.pccc.com/~kmcgrail/devel/
The Project Management Committee believes these are release worthy and invites you to give feedback to prepare a full release in the imminent future. The Release Notes as they stand today are included below. Regards, KAM Release Notes -- Apache SpamAssassin -- Version 3.4.2 Introduction ------------ Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the past three and 1/2 years. As we release 3.4.2, we are preparing 4.0.0 which will move us into a full UTF-8 environment. We expect one final 3.4.3 release. As with any release there are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.2. In this case we have over 3 years of issues being resolved at once. And we are laying thr groundwork for version 4.0 which is is designed to more natively handle UTF-8. However, there is one specific pressing reason to upgrade. Specifically, we will stop producing SHA-1 signatures for rule updates. This means that while we produce rule updates with the focus on them working for any release from v3.3.2 forward, they will start failing SHA-1 validation for sa-update. *** If you do not update to 3.4.2, you will be stuck at the last ruleset with SHA-1 signatures in the near future. *** Many thanks to the committers, contributors, rule testers, mass checkers, and code testers who have made this release possible. Thanks to David Jones for stepping up and helping us found our SpamAssassin SysAdmin's group. And thanks to cPanel for helping making this release possible and contributing to the continued development of SpamAssassin. Please visit support.cpanel.net with any issues involving cPanel & WHM's integration with SpamAssassin. Notable features: ================= New plugins ----------- There are four new plugins added with this release: Mail::SpamAssassin::Plugin::HashBL The HashBL plugin is the interface to The Email Blocklist (EBL). The EBL is intended to filter spam that is sent from IP addresses and domains that cannot be blocked without causing significant numbers of false positives. Mail::SpamAssassin::Plugin::ResourceLimits This plugin leverages BSD::Resource to assure your spamd child processes do not exceed specified CPU or memory limit. If this happens, the child process will die. See the BSD::Resource for more details. Mail::SpamAssassin::Plugin::FromNameSpoof This plugin allows for detection of the From:name field being used to mislead recipients into thinking an email is from another address. The man page includes examples and we expect to put test rules for this plugin into rulesrc soon! Mail::SpamAssassin::Plugin::Phishing This plugin finds uris used in phishing campaigns detected by OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com) feeds. These plugins are disabled by default. To enable, uncomment the loadplugin configuration options in file v342.pre, or add it to some local .pre file such as local.pre . Notable changes --------------- For security reasons SSLv3 support has been removed from spamc(1). The spamd(1) daemon now is faster to start, thanks to code optimizations. Four CVE security bugs are included in this release for PDFInfo.pm and the SA core: CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 In sa-update script, optional support for SHA-256 / SHA-512 in addition to or instead of SHA1 has been added for better validation of rules. See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for information on the end of SHA-1 signatures which will be the end of rule updates for releases prior to 3.4.2. Security updates include security improvements for TxRep, tmp file creation was hardened, the group list and setuid is hardened for spamd workers, eval tests have been hardened (Thanks to the cPanel Security Team!), a bug in earlier Perl versions that caused URIs to be skipped has been identified, and UTF-16 support is improved. GeoIP2 support has been added to RelayCountry and URILocalBL plugins due to GeoIP legacy API deprecations. New configuration options ------------------------- A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the 's' tag) from valid signatures has been added. A 'uri_block_cont' option to URILocalBL plugin to score uris per continent has been added. Possible continent codes are: af, as, eu, na, oc, sa for Africa, Asia, Europe, North America, Oceania and South America. The 'country_db_type' and 'country_db_path' options has been added to be able to choose in RelayCountry plugin between GeoIP legacy (discontinued from 04/01/2018), GeoIP2, IP::Country::Fast and IP::Country::DB_File. GeoIP legacy is still the default option but it will be deprecated in future releases. A config option 'uri_country_db_path' has been added to be able to choose in URILocalBL plugin between GeoIP legacy and new GeoIP2 api. A config option 'resource_limit_cpu' (default: 0 or no limit) has been added to configure how many cpu cycles are allowed on a child process before it dies. A config option 'resource_limit_mem' (default: 0 or no limit) has been added to configure the maximum number of bytes of memory allowed both for (virtual) address space bytes and resident set size. A new config option 'report_wrap_width' (default: 70) has been added to set the wrap width for description lines in the X-Spam-Report header. Notable Internal changes ------------------------ SpamAssassin can cope with new Net::DNS module versions. The "bytes" pragma has been remove from both core modules and plugins for better utf-8 compatibility, there has been also some other utf-8 related fixes. The spamc(1) client can now be build against OpenSSL 1.1.0. The test framework has been switched to Test::More module. Other updates ------------- Documentation was updated or enhanced. Project's testing and evaluation hosts and tools running on the ASF infrastructure were updated. A list of top-level domains in registrar boundaries was updated. Optimizations ------------- Faster startup of the SpamAssassin daemon. Spamc client now correctly free(3) all the memory it uses. Downloading and availability ---------------------------- Downloads are available from: http://spamassassin.apache.org/downloads.cgi sha256sum of archive files: a2d9fd2376fef3364d43e406ae735a47d5e54d0f6eb10e23374fc39bd4a2b596 Mail-SpamAssassin-3.4.2-rc1.tar.bz2 1685868d5b92b53c9c8f2719289855747c9dfe597cae2e9b0a12a0cdfa1d4837 Mail-SpamAssassin-3.4.2-rc1.tar.gz ff83da73c2c033975a376fda6657bec9251674cf969204a77a03a46e525e0a98 Mail-SpamAssassin-3.4.2-rc1.zip 30acaa486faa6b8106878d4c30f13506112dd3f20200ae1424fbef232c03813f Mail-SpamAssassin-rules-3.4.2-rc1.r1840278.tgz sha512sum of archive files: 45e343c33d28083e71a673bad35ff4487044f24df7e3f12c1a217b70e53304536756591ff7fe37dff42a00c20e3deb80173fc14ac8ae8b67ce61dc7987b787ff Mail-SpamAssassin-3.4.2-rc1.tar.bz2 7e68ac29ed8b302421eb1818e051f2f8e1cabc6f9c8c177ea4973e563a5aa2010f26bbfb776f9b7c771000ebef36cbaf9174c8b930620c8656c119d8c0983535 Mail-SpamAssassin-3.4.2-rc1.tar.gz ac307580c81be8727d31a50a435db0f628308f6058a66c26e85abc6f7fab1ddae333ac95fb969db942e90867fce6b969a8f232a55af6ee6ac9d4810fedc07750 Mail-SpamAssassin-3.4.2-rc1.zip 092032fd73223a9abb35c1940971e06a57096455e28f7ec6d5fa8e6dabe669c573fff6fdf022a7eaf25f6ddc6b1c32592baf3c435a8accf2855a2a1935aa8df2 Mail-SpamAssassin-rules-3.4.2-rc1.r1840278.tgz Note that the *-rules-*.tar.gz files are only necessary if you cannot, or do not wish to, run "sa-update" after install to download the latest fresh rules. See the INSTALL and UPGRADE files in the distribution for important installation notes. GPG Verification Procedure -------------------------- The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://www.apache.org/dist/spamassassin/KEYS The key information is: pub 4096R/F7D39814 2009-12-02 Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 uid SpamAssassin Project Management Committee <priv...@spamassassin.apache.org> uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <d...@spamassassin.apache.org> sub 4096R/7B3265A5 2009-12-02 To verify a release file, download the file with the accompanying .asc file and run the following commands: gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814 gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc gpg --fingerprint F7D39814 Then verify that the key matches the signature. Note that older versions of gnupg may not be able to complete the steps above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 worked flawlessly. See http://www.apache.org/info/verification.html for more information on verifying Apache releases. About Apache SpamAssassin ------------------------- Apache SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify spam. SpamAssassin uses a variety of mechanisms including mail header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. In addition, Apache SpamAssassin has a modular architecture that allows other technologies to be quickly incorporated as an addition or as a replacement for existing methods. Apache SpamAssassin typically runs on a server, classifies and labels spam before it reaches your mailbox, while allowing other components of a mail system to act on its results. Most of the Apache SpamAssassin is written in Perl, with heavily traversed code paths carefully optimized. Benefits are portability, robustness and facilitated maintenance. It can run on a wide variety of POSIX platforms. The server and the Perl library feels at home on Unix and Linux platforms and reportedly also works on MS Windows systems under ActivePerl. For more information, visit http://spamassassin.apache.org/ About The Apache Software Foundation ------------------------------------ Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 100 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 2,500+ contributors. For more information, visit http://www.apache.org/
