Thank you for gr8 software. El El dom, sep. 16, 2018 a las 9:03 a. m., Kevin A. McGrail < kmcgr...@apache.org> escribió:
> Good Morning, > > On behalf of the Apache SpamAssassin Project Management Committee, I am > very pleased to announce the release of Apache SpamAssassin v3.4.2. > This release contains security bug fixes. A security announcement will > follow within the next 24 hours. > > Apache SpamAssassin can be downloaded from > https://spamassassin.apache.org/downloads.cgi and via cpan > (Mail::SpamAssassin). > > Our project website is https://spamassassin.apache.org/ > > Our DOAP is available at https://spamassassin.apache.org/doap.rdf > > Questions? Please post on our Users mailing list. More information on > joining our mailing lists is available at > https://wiki.apache.org/spamassassin/MailingLists > > -KAM > > > Release Notes -- Apache SpamAssassin -- Version 3.4.2 > > Introduction > ------------ > > Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the > past three and 1/2 years. As we release 3.4.2, we are preparing 4.0.0 > which > will move us into a full UTF-8 environment. We expect one final 3.4.3 > release. > > As with any release there are a number of functional patches, > improvements as > well as security reasons to upgrade to 3.4.2. In this case we have over 3 > years of issues being resolved at once. And we are laying thr > groundwork for > version 4.0 which is is designed to more natively handle UTF-8. > > However, there is one specific pressing reason to upgrade. > Specifically, we > will stop producing SHA-1 signatures for rule updates. This means that > while > we produce rule updates with the focus on them working for any release from > v3.3.2 forward, they will start failing SHA-1 validation for sa-update. > > *** If you do not update to 3.4.2, you will be stuck at the last ruleset > with SHA-1 signatures in the near future. *** > > Many thanks to the committers, contributors, rule testers, mass checkers, > and code testers who have made this release possible. > > Thanks to David Jones for stepping up and helping us found our SpamAssassin > SysAdmin's group. > > And thanks to cPanel for helping making this release possible and > contributing > to the continued development of SpamAssassin. Please visit > support.cpanel.net > with any issues involving cPanel & WHM's integration with SpamAssassin. > > Notable features: > ================= > > New plugins > ----------- > There are four new plugins added with this release: > > Mail::SpamAssassin::Plugin::HashBL > > The HashBL plugin is the interface to The Email Blocklist (EBL). > The EBL is intended to filter spam that is sent from IP addresses > and domains that cannot be blocked without causing significant > numbers of false positives. > > Mail::SpamAssassin::Plugin::ResourceLimits > > This plugin leverages BSD::Resource to assure your spamd child processes > do not exceed specified CPU or memory limit. If this happens, the child > process will die. See the BSD::Resource for more details. > > Mail::SpamAssassin::Plugin::FromNameSpoof > > This plugin allows for detection of the From:name field being used to > mislead > recipients into thinking an email is from another address. The man page > includes examples and we expect to put test rules for this plugin into > rulesrc soon! > > Mail::SpamAssassin::Plugin::Phishing > > This plugin finds uris used in phishing campaigns detected by > OpenPhish (https://openphish.com) or PhishTank (https://phishtank.com) > feeds. > > These plugins are disabled by default. To enable, uncomment > the loadplugin configuration options in file v342.pre, or add it to > some local .pre file such as local.pre . > > Notable changes > --------------- > > For security reasons SSLv3 support has been removed from spamc(1). > > The spamd(1) daemon now is faster to start, thanks to code optimizations. > > Four CVE security bug fixes are included in this release for PDFInfo.pm and > the SA core: > CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 > > In sa-update script, optional support for SHA-256 / SHA-512 in addition > to or instead of SHA1 has been added for better validation of rules. > See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614 for > information > on the end of SHA-1 signatures which will be the end of rule updates for > releases prior to 3.4.2. > > Security updates include security improvements for TxRep, tmp file creation > was hardened, the group list and setuid is hardened for spamd workers, > eval tests have been hardened (Thanks to the cPanel Security Team!), > a bug in earlier Perl versions that caused URIs to be skipped has been > identified, and UTF-16 support is improved. > > GeoIP2 support has been added to RelayCountry and URILocalBL plugins due > to GeoIP legacy API deprecations. > > New configuration options > ------------------------- > > A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the > 's' tag) > from valid signatures has been added. > > A 'uri_block_cont' option to URILocalBL plugin to score uris per > continent has been added. > Possible continent codes are: > af, as, eu, na, oc, sa for Africa, Asia, Europe, North America, > Oceania and South America. > > The 'country_db_type' and 'country_db_path' options has been added to be > able > to choose in RelayCountry plugin between GeoIP legacy > (discontinued from 04/01/2018), GeoIP2, IP::Country::Fast > and IP::Country::DB_File. > GeoIP legacy is still the default option but it will be deprecated > in future releases. > > A config option 'uri_country_db_path' has been added to be able to choose > in URILocalBL plugin between GeoIP legacy and new GeoIP2 api. > > A config option 'resource_limit_cpu' (default: 0 or no limit) has been > added > to configure how many cpu cycles are allowed on a child process before > it dies. > > A config option 'resource_limit_mem' (default: 0 or no limit) has been > added > to configure the maximum number of bytes of memory allowed both for > (virtual) address space bytes and resident set size. > > A new config option 'report_wrap_width' (default: 70) has been added > to set the wrap width for description lines in the X-Spam-Report header. > > Notable Internal changes > ------------------------ > > SpamAssassin can cope with new Net::DNS module versions. > The "bytes" pragma has been remove from both core modules and plugins for > better utf-8 compatibility, there has been also some other utf-8 related > fixes. > The spamc(1) client can now be build against OpenSSL 1.1.0. > The test framework has been switched to Test::More module. > > Other updates > ------------- > > Documentation was updated or enhanced. Project's testing and evaluation > hosts and tools running on the ASF infrastructure were updated. > > A list of top-level domains in registrar boundaries was updated. > > Optimizations > ------------- > > Faster startup of the SpamAssassin daemon. > Spamc client now correctly free(3) all the memory it uses. > > Downloading and availability > ---------------------------- > > Downloads are available from: > > https://spamassassin.apache.org/downloads.cgi > > sha256sum of archive files: > > cf03045a4991752145eed007e75737f3e4c7f34cf225db411ce3fd359280e8da > Mail-SpamAssassin-3.4.2.tar.bz2 > 8a1c139ee08f140d3d3fdf13e03d98cf68a5cae27a082c4a614d154565a3c34f > Mail-SpamAssassin-3.4.2.tar.gz > c76841929fa53cf0adeb924797195c66da207ab6739553fd62634f94f2dcd875 > Mail-SpamAssassin-3.4.2.zip > 8d481a2081f1e62a2579238f66b58d2124f7a2e9f3cfa3d4aa2b03fe7b0199bb > Mail-SpamAssassin-rules-3.4.2.r1840640.tgz > > sha512sum of archive files: > > > > fe3d9d1d7b9fed3063549afd071066729f1f4d998be91ded1e5afc29bb37c7a298dc5f8f99a282b75435d317b5b5072a81393134ccfe059a73d953e26a9c3885 > Mail-SpamAssassin-3.4.2.tar.bz2 > > > 85e3d78bb885ad1d0bf2066d1bc919d6ad5e9f86795069397e7c28cc1ba02870566ec014c08c81f68e7ed03b7f60d2de0b9730b3415b35d848abde2c8920a28f > Mail-SpamAssassin-3.4.2.tar.gz > > > 9545c1cd55c31f23ba8f8421f78306657a068004a27cab8cd094eb9bc7c8d94cdb4803089318f2c0cefb9b817fa3f1cfb7cb817913027c0c93b5d639937ee05c > Mail-SpamAssassin-3.4.2.zip > > > 38b5f4dc6e6776937e787123c265ecd9a0a2f60aca1b57d6ed4a8f78cf81550478eddd0829b1255e9e8ce64421e06cc13ae82f1a597e893b65f0d07ba8c53a7f > Mail-SpamAssassin-rules-3.4.2.r1840640.tgz > > Note that the *-rules-*.tgz files are only necessary if you cannot, > or do not wish to, run "sa-update" after install to download the latest > fresh rules. > > See the INSTALL and UPGRADE files in the distribution for important > installation notes. > > > GPG Verification Procedure > -------------------------- > The release files also have a .asc accompanying them. The file serves > as an external GPG signature for the given release file. The signing > key is available via the wwwkeys.pgp.net key server, as well as > https://www.apache.org/dist/spamassassin/KEYS > > The key information is: > > pub 4096R/F7D39814 2009-12-02 > Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 > uid SpamAssassin Project Management Committee > <priv...@spamassassin.apache.org> > uid SpamAssassin Signing Key (Code Signing Key, > replacement for 1024D/265FA05B) <d...@spamassassin.apache.org> > sub 4096R/7B3265A5 2009-12-02 > > To verify a release file, download the file with the accompanying .asc > file and run the following commands: > > gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814 > gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc > gpg --fingerprint F7D39814 > > Then verify that the key matches the signature. > > Note that older versions of gnupg may not be able to complete the steps > above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 > worked flawlessly. > > See https://www.apache.org/info/verification.html for more information > on verifying Apache releases. > > > About Apache SpamAssassin > ------------------------- > > Apache SpamAssassin is a mature, widely-deployed open source project > that serves as a mail filter to identify spam. SpamAssassin uses a > variety of mechanisms including mail header and text analysis, Bayesian > filtering, DNS blocklists, and collaborative filtering databases. In > addition, Apache SpamAssassin has a modular architecture that allows > other technologies to be quickly incorporated as an addition or as a > replacement for existing methods. > > Apache SpamAssassin typically runs on a server, classifies and labels > spam before it reaches your mailbox, while allowing other components of > a mail system to act on its results. > > Most of the Apache SpamAssassin is written in Perl, with heavily > traversed code paths carefully optimized. Benefits are portability, > robustness and facilitated maintenance. It can run on a wide variety of > POSIX platforms. > > The server and the Perl library feels at home on Unix and Linux platforms > and reportedly also works on MS Windows systems under ActivePerl. > > For more information, visit https://spamassassin.apache.org/ > > > About The Apache Software Foundation > ------------------------------------ > > Established in 1999, The Apache Software Foundation provides > organizational, legal, and financial support for more than 100 > freely-available, collaboratively-developed Open Source projects. The > pragmatic Apache License enables individual and commercial users to > easily deploy Apache software; the Foundation's intellectual property > framework limits the legal exposure of its 2,500+ contributors. > > For more information, visit https://www.apache.org/ > > -- > Kevin A. McGrail > VP Fundraising, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171 > > -- rickygm http://gnuforever.homelinux.com
