Re: updates.spamassassin.org in DNS.

Sun, 16 Feb 2025 23:23:06 -0800 

MIRRORED.BY file is not signed and there are other possible attacks, anyway
I switched back the dns entry to plain http.
 Giovanni

On 2/15/25 11:40 PM, Kevin A. McGrail wrote:

Interesting. Well the in update data from that site is cryptographically
signed and verified.  Http is really fine in this case.

On Sat, Feb 15, 2025, 15:41 Giovanni Bechis <giova...@paclan.it> wrote:


On Sat, Feb 15, 2025 at 01:45:46PM -0500, Bill Cole wrote:

On 2025-02-15 at 10:11:16 UTC-0500 (Sat, 15 Feb 2025 15:11:16 +0000)
Ralph Corderoy <sysadmins@spamassassin.apache.org>
is rumored to have said:


Hi Giovanni,


      error: unable to refresh mirrors file for channel
      updates.spamassassin.org, using old file

...

Which version is this server running ?


3.4.0.


An update is in order. 3.4.0 has more serious bugs than I care to
enumerate here. If that's a "vendor branch" that has backports of key
updates (e.g. Debian or RedHat) then it will have many of those bugs
fixed, but if your OS is no longer getting updates, you may not have all
of the backported fixes.

4.0.1 is quite solid. The current 'trunk' version (will-be 4.0.2) has a
few additional fixes.



Could you try to run "sa-update -D" and post the results ?


Thanks, that was the pointer I needed.  I've started poking around the
source too.  The key thing when running ‘sa-update -D’ as root now
is:

     dbg: dns: 0.4.3.updates.spamassassin.org => 1923802, parsed as
1923802
     dbg: channel: current version is 1923802, new version is 1923802,
skipping channel


I believe that's the latest version, as of this morning.

You can force a re-fetch by editing the channel's .cf file to have a
lower serial number.


so /var/lib/spamassassin/3.004000/updates_spamassassin_org/MIRRORED.BY
isn't examined.  Its mtime is 2025-01-29 05:23:18 +0000.


That's slightly earlier than the last change in that file in the repo,
which is 2025-01-29 13:36:52 +0000. The only change was to the record
for sa-update.spamassassin.org. Aside from that, the file has not
changed since 2023.


one of the mirrors listed in mirrors.updates.spamassassin.org has
switched to https.
A connection failure due to OpenSSL incompatible algorithms could be the
issue.
  Giovanni



I've added -D to the sa-update run by cron so will gather more debug
from the overnight run which generates the error above.


Note that the message above is not an indication of any error.




--
   Bill Cole
   b...@scconsult.com or billc...@apache.org
   (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
   Not Currently Available For Hire

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to