From: To: Bcc: users@spamassassin.apache.org, dev@spamassassin.apache.org, announce@spamassassin.apache.org, announce@apache.org Reply-to: dev@spamassassin.apache.org Subject: ANNOUNCE: Apache SpamAssassin 3.4.3 available Release Notes -- Apache SpamAssassin -- Version 3.4.3 Introduction ------------ Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there are bug fixes for two CVEs. *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures. If you do not update to 3.4.2 or later, you will be stuck at the last ruleset with SHA-1 signatures. *** Many thanks to the committers, contributors, rule testers, mass checkers, and code testers who have made this release possible. Happy Birthday -------------- Apache SpamAssassin turned 18 on September 5th, 2019. Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the world's most popular email anti-spam platform. Apache SpamAssassin can be used on a wide variety of email systems including Postfix, procmail, qmail, sendmail, and more. It serves as the spam-filtering and detection solution for numerous ISPs and hosting providers, and is integrated in commercial software including Plesk, cPanel, Vesta Control Panel, and many others. SpamAssassin was originally created by Justin Mason, who had maintained a number of patches against an earlier program named filter.plx by Mark Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code from scratch and uploaded the resulting codebase to SourceForge on April 20, 2001. SpamAssassin entered the Apache Incubator in December 2003 and graduated as an Apache Top-Level Project in June 2004. Notable features: ================= New plugins ----------- There is 1 new plugin added with this release: # OLEVBMacro - Detects both OLE macros and VB code inside Office documents # # It tries to discern between safe and malicious code but due to the threat # macros present to security, many places block these type of documents # outright. # # For this plugin to work, Archive::Zip and IO::String modules are required. # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro This plugin is disabled by default. To enable, uncomment the loadplugin configuration options in file v343.pre, or add it to some local .pre file such as local.pre. Notable changes --------------- Safer and faster scanning of large emails using body_part_scan_size and rawbody_part_scan_size settings. New tflag "nosubject" for 'body' rules, to stop matching the Subject header which is part of the body text. Two CVE security bug fixes are included in this release: CVE-2019-12420 for Multipart Denial of Service Vulnerability CVE-2018-11805 for nefarious CF files can be configured to run system commands without any output or errors. Security updates include deprecation of the unsafe sa-update '--allowplugins' option, which now prints a warning that '--reallyallowplugins' is required to use it. New configuration options ------------------------- A new subjprefix keyword used to add a prefix to the subject of the email if a rule is matched. A new template tag _SUBJPREFIX_ that maps to the subject prefix that has been added by the subjprefix keyword. A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that hits with duplicated rules collapsed. A config option rbl_headers has been added to DNSEval plugin, this option is used to specify in which headers check_rbl_headers should check for content used to query the specified rbl. A new check_rbl_ns_from function has been added to check the dns server of the from addrs domain name against a specific rbl. A new check_rbl_rcvd function has been added to check all received headers domains or ip addresses against a specific rbl. New options has been added to check_hashbl_emails function has been added; it is now possible to specify in which headers the function should check for content used to query the specified rbl and an acl to filter the email addresses the rule should apply. A new check_hashbl_bodyre function has been added, it is now possible to search body for matching regexp and query the string captured against the specified rbl. A new check_hashbl_uris function has been added, it is now possible to match uris in email's body and query the uris against the specified rbl. Notable Internal changes ------------------------ None noted. Other updates ------------- None noted. Optimizations ------------- None noted. Downloading and availability ---------------------------- Downloads are available from: https://spamassassin.apache.org/downloads.cgi sha256sum of archive files: a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2 bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz 3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 Mail-SpamAssassin-3.4.3.zip d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz sha512sum of archive files: 4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 Mail-SpamAssassin-3.4.3.tar.bz2 d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz 608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 Mail-SpamAssassin-3.4.3.zip 2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f Mail-SpamAssassin-rules-3.4.3.r1871124.tgz Note that the *-rules-*.tgz files are only necessary if you cannot, or do not wish to, run "sa-update" after install to download the latest fresh rules. See the INSTALL and UPGRADE files in the distribution for important installation notes. GPG Verification Procedure -------------------------- The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as https://www.apache.org/dist/spamassassin/KEYS The following key is used to sign releases after, and including SA 3.3.0: pub 4096R/F7D39814 2009-12-02 Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 uid SpamAssassin Project Management Committee uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) sub 4096R/7B3265A5 2009-12-02 The following key is used to sign rule updates: pub 4096R/5244EC45 2005-12-20 Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45 uid updates.spamassassin.org Signing Key sub 4096R/24F434CE 2005-12-20 To verify a release file, download the file with the accompanying .asc file and run the following commands: gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814 gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc gpg --fingerprint F7D39814 Then verify that the key matches the signature. Note that older versions of gnupg may not be able to complete the steps above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 worked flawlessly. See https://www.apache.org/info/verification.html for more information on verifying Apache releases. About Apache SpamAssassin ------------------------- Apache SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify spam. SpamAssassin uses a variety of mechanisms including mail header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. In addition, Apache SpamAssassin has a modular architecture that allows other technologies to be quickly incorporated as an addition or as a replacement for existing methods. Apache SpamAssassin typically runs on a server, classifies and labels spam before it reaches your mailbox, while allowing other components of a mail system to act on its results. Most of the Apache SpamAssassin is written in Perl, with heavily traversed code paths carefully optimized. Benefits are portability, robustness and facilitated maintenance. It can run on a wide variety of POSIX platforms. The server and the Perl library feels at home on Unix and Linux platforms and reportedly also works on MS Windows systems under ActivePerl. For more information, visit https://spamassassin.apache.org/ About The Apache Software Foundation ------------------------------------ Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 100 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 2,500+ contributors. For more information, visit https://www.apache.org/