16:56 Cy Schubert (cy) 

mail/spamassassin: Update 3.4.6 --> 4.0.0

The release announcement can be found at
https://svn.apache.org/repos/asf/spamassassin/trunk/build/announcements/\
4.0.0.txt.

A list of detailed changes can be found at
https://svn.apache.org/repos/asf/spamassassin/trunk/Changes.

    3fdfceb

20:24 Dima Panov (fluffy) 

mail/spamassassin: update to 3.4.6 release (+)

Apache SpamAssassin 3.4.6 fixes two bugs that were introduced by the
3.4.5 release that could prevent certain rules from properly firing.

Changelog:	https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.6.txt

    0ea4db4

20:02 cy 

mail/spamassassin: Update 3.4.4 --> 3.4.5, fixing CVE-2020-1946

According to https://s.apache.org/ng9u9, 3.4.5 fixes CVE-2020-1946.
The announce text:

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue
of security note where malicious rule configuration (.cf) files can be
configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number
of scenarios. In addition to upgrading to SA 3.4.5, users should only use
update channels or 3rd party .cf files from trusted places.

Apache SpamAssassin would like to thank Damian Lukowski at credativ for
ethically reporting this issue.

This issue has been assigned CVE id CVE-2020-1946 [2]

To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the https://spamassassin.apache.org/ web site.

Apache SpamAssassin Security Team

[1]: https://s.apache.org/ng9u9

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946

PR:		254526
Submitted by:	cy
Reported by:	cy
Approved by:	maintainer (zeising)
MFH:		2021Q1
Security:	https://s.apache.org/ng9u9
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946

 

16:06 zeising 

mail/spamassassin: Update to 3.4.4

Update mail/spamassassin to 3.4.4.  This fixes several security
vulnderabilities.

Changelog:
- Improvements to OLEVBMacro
- Fix for CRLF handling with SpamAssMilter & DKIM
- Small fix for a regexp to provide Perl 5.8.x compatability again
- Increased fns_extrachars default value to 50
- Fixed nosubject and maxhits tflags when sa-compile is used
- Limited the Bayes parsed token count
- Improvements to whitespace trimming

PR:		243744
Submitted by:	cy
MFH:		2020Q1
Security:	c86bfee3-4441-11ea-8be3-54e1ad3d6335

 

20:03 cy 

Update 3.4.2 --> 3.4.3

2019-12-11: Apache SpamAssassin 3.4.3 has been released! Apache
SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare
to move to version 4.0.0 with better, native UTF-8 handling. There are a
number of functional patches, improvements as well as security reasons to
upgrade to 3.4.3. In this release, there is also one new plugin and there
are bug fixes for two CVEs:

    CVE-2019-12420 for Multipart Denial of Service Vulnerability
    CVE-2018-11805 for nefarious CF files can be configured to run system
                   commands without any output or errors.

PR:		242618
Submitted by:	cy
Reported by:	cy
Approved by:	zeising (maintainer)
MFH:		2019Q4
Security:	CVE-2019-12420, CVE-2018-11805

 

19:30 zeising 

mail/spamassassin: Update to 3.4.2

Update mail/spamassassin to 3.4.2.  This update includes security fixes.
For complete changelog and upgrade notes, see:
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/201809.mbox/%3cc44ca0f1-cba9-b129-20b2-ba59816cfd13@apache.org%3e

Big thanks to Larry Rosenman (ler) for help with testing!

PR:		231412
Reported by:	dewayne@heuristicsystems.com.au
Tested by:	ler
MFH:		2018Q3
Security:	613193a0-c1b4-11e8-ae2d-54e1ad3d6335

 

18:46 adamw 

Update spamassassin to 3.4.1.

Changes:
  * improved automation to help combat spammers that are abusing new top level
    domains;
  * tweaks to the SPF support to block more spoofed emails;
  * increased character set normalization to make rules easier to develop and
    stop spammers from using alternate character sets to bypass tests;
  * continued refinement to the native IPv6 support; and
  * improved Bayesian classification with better debugging and attachment
    hashing.

Full ChangeLog at https://metacpan.org/changes/distribution/Mail-SpamAssassin

The japanese/spamassassin port is broken until it's updated for 3.4.1.