Please don't ever use HTML for announce mails. They are more likely to be treated as spam -- as this one was -- and so may be overlooked by the moderators.
Thanks. S. On Thu, 12 Dec 2019 at 16:26, Kevin A. McGrail <[email protected]> wrote: > On behalf of the Apache SpamAssassin Project, I am proud to share the release > notes for Apache SpamAssassin v3.4.3. -KAM > > Release Notes -- Apache SpamAssassin -- Version 3.4.3 > > Introduction > ------------ > > Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we > prepare to move to version 4.0.0 with better, native UTF-8 handling. > > There are a number of functional patches, improvements as well as security > reasons to upgrade to 3.4.3. In this release, there are bug fixes for two > CVEs. > > *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures. > If you do not update to 3.4.2 or later, you will be stuck at the last > ruleset with SHA-1 signatures. *** > > Many thanks to the committers, contributors, rule testers, mass checkers, > and code testers who have made this release possible. > > Happy Birthday > -------------- > Apache SpamAssassin turned 18 on September 5th, 2019. > > Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the > world's most popular email anti-spam platform. Apache SpamAssassin can be > used on a wide variety of email systems including Postfix, procmail, qmail, > sendmail, and more. > > It serves as the spam-filtering and detection solution for numerous ISPs and > hosting providers, and is integrated in commercial software including Plesk, > cPanel, Vesta Control Panel, and many others. > > SpamAssassin was originally created by Justin Mason, who had maintained a > number of patches against an earlier program named filter.plx by Mark > Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code > from scratch and uploaded the resulting codebase to SourceForge on April 20, > 2001. SpamAssassin entered the Apache Incubator in December 2003 and > graduated as an Apache Top-Level Project in June 2004. > > Notable features: > ================= > > New plugins > ----------- > There is 1 new plugin added with this release: > > # OLEVBMacro - Detects both OLE macros and VB code inside Office documents > # > # It tries to discern between safe and malicious code but due to the threat > # macros present to security, many places block these type of documents > # outright. > # > # For this plugin to work, Archive::Zip and IO::String modules are required. > # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro > > > This plugin is disabled by default. To enable, uncomment the loadplugin > configuration options in file v343.pre, or add it to some local .pre file > such as local.pre. > > Notable changes > --------------- > > Safer and faster scanning of large emails using body_part_scan_size and > rawbody_part_scan_size settings. > > New tflag "nosubject" for 'body' rules, to stop matching the Subject header > which is part of the body text. > > Two CVE security bug fixes are included in this release: > > CVE-2019-12420 for Multipart Denial of Service Vulnerability > > CVE-2018-11805 for nefarious CF files can be configured to > run system commands without any output or errors. > > Security updates include deprecation of the unsafe sa-update '--allowplugins' > option, which now prints a warning that '--reallyallowplugins' is required > to use it. > > New configuration options > ------------------------- > > A new subjprefix keyword used to add a prefix to the subject of the > email if a rule is matched. > > A new template tag _SUBJPREFIX_ that maps to the subject prefix that > has been added by the subjprefix keyword. > > A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that > hits with duplicated rules collapsed. > > A config option rbl_headers has been added to DNSEval plugin, > this option is used to specify in which headers check_rbl_headers > should check for content used to query the specified rbl. > > A new check_rbl_ns_from function has been added to check > the dns server of the from addrs domain name against a specific rbl. > > A new check_rbl_rcvd function has been added to check > all received headers domains or ip addresses against a > specific rbl. > > New options has been added to check_hashbl_emails function > has been added; it is now possible to specify in which headers > the function should check for content used to query the > specified rbl and an acl to filter the email addresses the rule > should apply. > > A new check_hashbl_bodyre function has been added, it is now possible > to search body for matching regexp and query the string captured > against the specified rbl. > > A new check_hashbl_uris function has been added, it is now possible > to match uris in email's body and query the uris against the > specified rbl. > > Notable Internal changes > ------------------------ > > None noted. > > Other updates > ------------- > > None noted. > > Optimizations > ------------- > > None noted. > > > Downloading and availability > ---------------------------- > > Downloads are available from: > https://spamassassin.apache.org/downloads.cgi > > sha256sum of archive files: > > a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d > Mail-SpamAssassin-3.4.3.tar.bz2 > bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 > Mail-SpamAssassin-3.4.3.tar.gz > 3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 > Mail-SpamAssassin-3.4.3.zip > d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 > Mail-SpamAssassin-rules-3.4.3.r1871124.tgz > > sha512sum of archive files: > > > 4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 > Mail-SpamAssassin-3.4.3.tar.bz2 > > d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a > Mail-SpamAssassin-3.4.3.tar.gz > > 608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 > Mail-SpamAssassin-3.4.3.zip > > 2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f > Mail-SpamAssassin-rules-3.4.3.r1871124.tgz > > Note that the *-rules-*.tgz files are only necessary if you cannot, > or do not wish to, run "sa-update" after install to download the latest > fresh rules. > > See the INSTALL and UPGRADE files in the distribution for important > installation notes. > > > GPG Verification Procedure > -------------------------- > The release files also have a .asc accompanying them. The file serves > as an external GPG signature for the given release file. The signing > key is available via the wwwkeys.pgp.net key server, as well > ashttps://www.apache.org/dist/spamassassin/KEYS > > > > The following key is used to sign releases after, and including SA 3.3.0: > > pub 4096R/F7D39814 2009-12-02 > Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 > uid SpamAssassin Project Management Committee > <[email protected]> <[email protected]> > uid SpamAssassin Signing Key (Code Signing Key, replacement > for 1024D/265FA05B) <[email protected]> > <[email protected]> > sub 4096R/7B3265A5 2009-12-02 > > The following key is used to sign rule updates: > > pub 4096R/5244EC45 2005-12-20 > Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45 > uid updates.spamassassin.org Signing Key > <[email protected]> <[email protected]> > sub 4096R/24F434CE 2005-12-20 > > To verify a release file, download the file with the accompanying .asc > file and run the following commands: > > gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814 > gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc > gpg --fingerprint F7D39814 > > Then verify that the key matches the signature. > > Note that older versions of gnupg may not be able to complete the steps > above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 > worked flawlessly. > > See https://www.apache.org/info/verification.html for more information > on verifying Apache releases. > > > About Apache SpamAssassin > ------------------------- > > Apache SpamAssassin is a mature, widely-deployed open source project > that serves as a mail filter to identify spam. SpamAssassin uses a > variety of mechanisms including mail header and text analysis, Bayesian > filtering, DNS blocklists, and collaborative filtering databases. In > addition, Apache SpamAssassin has a modular architecture that allows > other technologies to be quickly incorporated as an addition or as a > replacement for existing methods. > > Apache SpamAssassin typically runs on a server, classifies and labels > spam before it reaches your mailbox, while allowing other components of > a mail system to act on its results. > > Most of the Apache SpamAssassin is written in Perl, with heavily > traversed code paths carefully optimized. Benefits are portability, > robustness and facilitated maintenance. It can run on a wide variety of > POSIX platforms. > > The server and the Perl library feels at home on Unix and Linux platforms > and reportedly also works on MS Windows systems under ActivePerl. > > For more information, visit https://spamassassin.apache.org/ > > > About The Apache Software Foundation > ------------------------------------ > > Established in 1999, The Apache Software Foundation provides > organizational, legal, and financial support for more than 100 > freely-available, collaboratively-developed Open Source projects. The > pragmatic Apache License enables individual and commercial users to > easily deploy Apache software; the Foundation's intellectual property > framework limits the legal exposure of its 2,500+ contributors. > > For more information, visit https://www.apache.org/ > > ## > > -- > Kevin A. [email protected] > > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin > Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171 > >
