Mailing List Archive

ANNOUNCE: Apache SpamAssassin 3.4.4 available
On behalf of the Apache SpamAssassin Project, I am pleased to announce
version 3.4.4 is available.

Release Notes -- Apache SpamAssassin -- Version 3.4.4

Introduction
------------

Apache SpamAssassin 3.4.4 is primarily a security release.

In this release, there are bug fixes for two CVEs.

*** On March 1, 2020, we will stop publishing rulesets with SHA-1
signatures.
    If you do not update to 3.4.2 or later, you will be stuck at the last
    ruleset with SHA-1 signatures. ***

Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.

Notable features:
=================

None noted.


Notable changes
---------------

In addition to two CVEs which shall be announced separately, this release
includes fixes for the following:

  - Improvements to OLEVBMacro
  - Fix for CRLF handling with SpamAssMilter & DKIM
  - Small fix for a regexp to provide Perl 5.8.x compatability again
  - Increased fns_extrachars default value to 50
  - Fixed nosubject and maxhits tflags when sa-compile is used
  - Limited the Bayes parsed token count
  - Improvements to whitespace trimming

New configuration options
-------------------------

None noted.

Notable Internal changes
------------------------

None noted.

Other updates
-------------

None noted.

Optimizations
-------------

None noted.


Downloading and availability
----------------------------

Downloads are available from:

https://spamassassin.apache.org/downloads.cgi

  XXX - To be added when built

Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.

See the INSTALL and UPGRADE files in the distribution for important
installation notes.


GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
https://www.apache.org/dist/spamassassin/KEYS



The following key is used to sign releases after, and including SA 3.3.0:

pub   4096R/F7D39814 2009-12-02
      Key fingerprint = D809 9BC7 9E17 D7E4 9BC2  1E31 FDE5 2F40 F7D3 9814
uid                  SpamAssassin Project Management Committee
<private@spamassassin.apache.org>
uid                  SpamAssassin Signing Key (Code Signing Key,
replacement for 1024D/265FA05B) <dev@spamassassin.apache.org>
sub   4096R/7B3265A5 2009-12-02

The following key is used to sign rule updates:

pub   4096R/5244EC45 2005-12-20
      Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78  DFDC 4056 A61A 5244 EC45
uid                  updates.spamassassin.org Signing Key
<release@spamassassin.org>
sub   4096R/24F434CE 2005-12-20

To verify a release file, download the file with the accompanying .asc
file and run the following commands:

  gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
  gpg --verify Mail-SpamAssassin-3.4.4.tar.bz2.asc
  gpg --fingerprint F7D39814

Then verify that the key matches the signature.

Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.

See https://www.apache.org/info/verification.html for more information
on verifying Apache releases.


About Apache SpamAssassin
-------------------------

Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.

Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.

Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.

The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.

For more information, visit https://spamassassin.apache.org/


About The Apache Software Foundation
------------------------------------

Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.

For more information, visit https://www.apache.org/

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On 29.01.20 14:12, Kevin A. McGrail wrote:
>On behalf of the Apache SpamAssassin Project, I am pleased to announce
>version 3.4.4 is available.
>
>Release Notes -- Apache SpamAssassin -- Version 3.4.4
>
>Introduction
>------------
>
>Apache SpamAssassin 3.4.4 is primarily a security release.
>
>In this release, there are bug fixes for two CVEs.
>
>*** On March 1, 2020, we will stop publishing rulesets with SHA-1
>signatures.
>??? If you do not update to 3.4.2 or later, you will be stuck at the last
>??? ruleset with SHA-1 signatures. ***

I wonder, is it that hard to provide sha-1 signatures together with sha256?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On Wed, 29 Jan 2020, Matus UHLAR - fantomas wrote:

> On 29.01.20 14:12, Kevin A. McGrail wrote:
>> On behalf of the Apache SpamAssassin Project, I am pleased to announce
>> version 3.4.4 is available.
>>
>> Release Notes -- Apache SpamAssassin -- Version 3.4.4
>>
>> Introduction
>> ------------
>>
>> Apache SpamAssassin 3.4.4 is primarily a security release.
>>
>> In this release, there are bug fixes for two CVEs.
>>
>> *** On March 1, 2020, we will stop publishing rulesets with SHA-1
>> signatures.
>> ??? If you do not update to 3.4.2 or later, you will be stuck at the last
>> ??? ruleset with SHA-1 signatures. ***
>
> I wonder, is it that hard to provide sha-1 signatures together with sha256?

It's not hard to do that. It's insecure.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
3 days until the 17th anniversary of the loss of STS-107 Columbia
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
Correct, it's a policy issue. ASF Projects must stop providing SHA-1
signatures and we negotiated that deadline.
Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Wed, Jan 29, 2020 at 2:44 PM John Hardin <jhardin@impsec.org> wrote:

> On Wed, 29 Jan 2020, Matus UHLAR - fantomas wrote:
>
> > On 29.01.20 14:12, Kevin A. McGrail wrote:
> >> On behalf of the Apache SpamAssassin Project, I am pleased to announce
> >> version 3.4.4 is available.
> >>
> >> Release Notes -- Apache SpamAssassin -- Version 3.4.4
> >>
> >> Introduction
> >> ------------
> >>
> >> Apache SpamAssassin 3.4.4 is primarily a security release.
> >>
> >> In this release, there are bug fixes for two CVEs.
> >>
> >> *** On March 1, 2020, we will stop publishing rulesets with SHA-1
> >> signatures.
> >> If you do not update to 3.4.2 or later, you will be stuck at the
> last
> >> ruleset with SHA-1 signatures. ***
> >
> > I wonder, is it that hard to provide sha-1 signatures together with
> sha256?
>
> It's not hard to do that. It's insecure.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Are you a mildly tech-literate politico horrified by the level of
> ignorance demonstrated by lawmakers gearing up to regulate online
> technology they don't even begin to grasp? Cool. Now you have a
> tiny glimpse into a day in the life of a gun owner. -- Sean Davis
> -----------------------------------------------------------------------
> 3 days until the 17th anniversary of the loss of STS-107 Columbia
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On 29.01.20 15:21, Kevin A. McGrail wrote:
>Correct, it's a policy issue. ASF Projects must stop providing SHA-1
>signatures and we negotiated that deadline.

do you mean, not having updates is better than using sha-1?

wouldn't clients supporting sha256 still use those over sha-1 or do you
expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged?

>> > On 29.01.20 14:12, Kevin A. McGrail wrote:
>> >> On behalf of the Apache SpamAssassin Project, I am pleased to announce
>> >> version 3.4.4 is available.
>> >>
>> >> Release Notes -- Apache SpamAssassin -- Version 3.4.4
>> >>
>> >> Introduction
>> >> ------------
>> >>
>> >> Apache SpamAssassin 3.4.4 is primarily a security release.
>> >>
>> >> In this release, there are bug fixes for two CVEs.
>> >>
>> >> *** On March 1, 2020, we will stop publishing rulesets with SHA-1
>> >> signatures.
>> >> If you do not update to 3.4.2 or later, you will be stuck at the last
>> >> ruleset with SHA-1 signatures. ***


>> On Wed, 29 Jan 2020, Matus UHLAR - fantomas wrote:
>> > I wonder, is it that hard to provide sha-1 signatures together with
>> > sha256?

>On Wed, Jan 29, 2020 at 2:44 PM John Hardin <jhardin@impsec.org> wrote:
>> It's not hard to do that. It's insecure.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote:
> On 29.01.20 15:21, Kevin A. McGrail wrote:
> >Correct, it's a policy issue. ASF Projects must stop providing SHA-1
> >signatures and we negotiated that deadline.
>
> do you mean, not having updates is better than using sha-1?

People using legacy SA versions are at risk from multiple vulnerabilities.
Doesn't hurt making them upgrade to samething sane.

> wouldn't clients supporting sha256 still use those over sha-1 or do you
> expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged?

As a general comment for everyone:

For security it makes absolutely no difference what hash checksum is used
for rule updates. It is simply for transport integrity checking. For all
purposes intended, the .gz internal compression checksum already would be
enough for this.

For checking _authenticity_, GPG signatures are the only valid method to
verify who actually created the rules. Sa-update should not be used without
GPG verification.
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
>> On 29.01.20 15:21, Kevin A. McGrail wrote:
>> >Correct, it's a policy issue. ASF Projects must stop providing SHA-1
>> >signatures and we negotiated that deadline.

>On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote:
>> do you mean, not having updates is better than using sha-1?

On 30.01.20 11:55, Henrik K wrote:
>People using legacy SA versions are at risk from multiple vulnerabilities.
>Doesn't hurt making them upgrade to samething sane.

so should I understand that as a force move "upgrade or don't get upates"?

are you aware that some distro maintainers prefer to backport security fixes
to former versions to prevent from functional surprises?

I am aware that fighting spam and viruses is a bit different than much of
other software...

>> wouldn't clients supporting sha256 still use those over sha-1 or do you
>> expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged?
>
>As a general comment for everyone:
>
>For security it makes absolutely no difference what hash checksum is used
>for rule updates. It is simply for transport integrity checking. For all
>purposes intended, the .gz internal compression checksum already would be
>enough for this.
>
>For checking _authenticity_, GPG signatures are the only valid method to
>verify who actually created the rules. Sa-update should not be used without
>GPG verification.

I use debian, and it uses GPG signatures. so I understand that sha-1 issue
even less...



--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On Thu, Jan 30, 2020 at 11:00:32AM +0100, Matus UHLAR - fantomas wrote:
> >>On 29.01.20 15:21, Kevin A. McGrail wrote:
> >>>Correct, it's a policy issue. ASF Projects must stop providing SHA-1
> >>>signatures and we negotiated that deadline.
>
> >On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote:
> >>do you mean, not having updates is better than using sha-1?
>
> On 30.01.20 11:55, Henrik K wrote:
> >People using legacy SA versions are at risk from multiple vulnerabilities.
> >Doesn't hurt making them upgrade to samething sane.
>
> so should I understand that as a force move "upgrade or don't get upates"?

There is no force of anything. SA project is not required to support legacy
versions in any way, especially when there is really no legit reason for it.

> are you aware that some distro maintainers prefer to backport security fixes
> to former versions to prevent from functional surprises?

You probably don't realize how extensive the changes for 3.4.3 were which
fixed many vulnerabilities. It's really hard to backport massive changes
and the project gives no guarantee of workings of such patches, it's up to
the distributions to support their packages.

Btw, even RedHat seems to patching sa-update SHA-256/SHA512 support, so your
point is moot. Any distribution can do the same if they insist on running
ancient versions.

https://bugzilla.redhat.com/show_bug.cgi?id=1787382
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
> I use debian, and it uses GPG signatures.  so I understand that sha-1
> issue even less
Which release do you worry about? Even oldoldstable is at 3.4.2, which
should be fine according to
> If you do not update to 3.4.2 or later, you will be stuck at the last
> ruleset with SHA-1 signatures.
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On Thu, 30 Jan 2020 11:00:32 +0100
Matus UHLAR - fantomas wrote:

> >> On 29.01.20 15:21, Kevin A. McGrail wrote:

> I use debian, and it uses GPG signatures. so I understand that sha-1
> issue even less...

It was a matter of Apache policy as I understand it. There were no
security implications at all.

Even if it had been relied on for security, SHA1 would only be
potentially vulnerable to an attack by an insider with a supercomputer.
Anyone in a position to exploit it could simply generate a new hash
file, so switching to SHA256 would still make no difference.
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On 1/30/2020 9:54 AM, RW wrote:
> On Thu, 30 Jan 2020 11:00:32 +0100
> Matus UHLAR - fantomas wrote:
>
>>>> On 29.01.20 15:21, Kevin A. McGrail wrote:
>> I use debian, and it uses GPG signatures. so I understand that sha-1
>> issue even less...
> It was a matter of Apache policy as I understand it. There were no
> security implications at all.
>
> Even if it had been relied on for security, SHA1 would only be
> potentially vulnerable to an attack by an insider with a supercomputer.
> Anyone in a position to exploit it could simply generate a new hash
> file, so switching to SHA256 would still make no difference.

The policy is at
https://www.apache.org/dev/release-distribution#sigs-and-sums

I have not analyzed the risk or done a threat model on this issue but
sha-1 is cryptographically weak and banned by ASF policy.  There is a
ticket concerning asking for a variance but I am at best, neutral on
that idea.

Key to the issue is I fail to see how the highly intrusive security work
done for 3.4.3 can possibly be backported. 

My recommendation remains a strong: upgrade to 3.4.4.

Regards,
KAM

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
Kevin A. McGrail schrieb am 29.01.2020 um 20:12:
>   - Fix for CRLF handling with SpamAssMilter & DKIM
Sorry that I didn't check and write about rc1, but I can confirm that
for me, valid DKIM signatures are again detected as valid with the
released 3.4.4.
Many thanks!

Alex
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
> Key to the issue is I fail to see how the highly intrusive security work
> done for 3.4.3 can possibly be backported. 

The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are
roughly 100kb in size.
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On Thu, 30 Jan 2020, Matus UHLAR - fantomas wrote:

>>> On 29.01.20 15:21, Kevin A. McGrail wrote:
>>> >Correct, it's a policy issue. ASF Projects must stop providing SHA-1
>>> >signatures and we negotiated that deadline.
>
>> On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote:
>>> do you mean, not having updates is better than using sha-1?
>
> On 30.01.20 11:55, Henrik K wrote:
>> People using legacy SA versions are at risk from multiple vulnerabilities.
>> Doesn't hurt making them upgrade to samething sane.
>
> so should I understand that as a force move "upgrade or don't get upates"?
>
> are you aware that some distro maintainers prefer to backport security fixes
> to former versions to prevent from functional surprises?

Then they would presumably backport the SHA-256 checksum handling, as
it is a security issue...


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The problem is when people look at Yahoo, slashdot, or groklaw and
jump from obvious and correct observations like "Oh my God, this
place is teeming with utter morons" to incorrect conclusions like
"there's nothing of value here". -- Al Petrofsky, in Y! SCOX
-----------------------------------------------------------------------
2 days until the 17th anniversary of the loss of STS-107 Columbia
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
On Thu, 2020-01-30 at 15:05 -0800, John Hardin wrote:
> On Thu, 30 Jan 2020, Matus UHLAR - fantomas wrote:
>
> > > > On 29.01.20 15:21, Kevin A. McGrail wrote:
> > > > > Correct, it's a policy issue. ASF Projects must stop
> > > > > providing SHA-1
> > > > > signatures and we negotiated that deadline.
> > > On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas
> > > wrote:
> > > > do you mean, not having updates is better than using sha-1?
> >
> > On 30.01.20 11:55, Henrik K wrote:
> > > People using legacy SA versions are at risk from multiple
> > > vulnerabilities.
> > > Doesn't hurt making them upgrade to samething sane.
> >
> > so should I understand that as a force move "upgrade or don't get
> > upates"?
> >
> > are you aware that some distro maintainers prefer to backport
> > security fixes
> > to former versions to prevent from functional surprises?

That's what Ubuntu did. I filed a bug report to upgrade to 3.4.3 and
listed the CVE's involved. Instead of rolling out 3.4.3 they backported
the fixes to 3.4.2. I'm getting ready to file another bug report
requesting upgrade to 3.4.4 listing the CVE's affected and see what
happens.

>
> Then they would presumably backport the SHA-256 checksum handling,
> as
> it is a security issue...
>
>
--
Chris
31.11972; -97.90167 (Elev. 1092 ft)
17:12:12 up 2 days, 8:39, 1 user, load average: 1.41, 0.72, 0.54
Description: Ubuntu 18.04.3 LTS, kernel 5.3.0-28-generic
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
>> Key to the issue is I fail to see how the highly intrusive security work
>> done for 3.4.3 can possibly be backported.?

On 30.01.20 16:31, Damian wrote:
>The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are
>roughly 100kb in size.

wow, I wonder if they are only to fix those two CVEs.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins. -- Daffy Duck & Porky Pig
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
>> On Thu, 30 Jan 2020 11:00:32 +0100 Matus UHLAR - fantomas wrote:
>>> I use debian, and it uses GPG signatures. so I understand that sha-1
>>> issue even less...

>On 1/30/2020 9:54 AM, RW wrote:
>> It was a matter of Apache policy as I understand it. There were no
>> security implications at all.
>>
>> Even if it had been relied on for security, SHA1 would only be
>> potentially vulnerable to an attack by an insider with a supercomputer.
>> Anyone in a position to exploit it could simply generate a new hash
>> file, so switching to SHA256 would still make no difference.

On 30.01.20 10:10, Kevin A. McGrail wrote:
>The policy is at
>https://www.apache.org/dev/release-distribution#sigs-and-sums

SHOULD NOT supply a MD5 or SHA-1 checksum file (because these are deprecated)

(fyi)

I was only trying to understand the reasons.

I tend to prefer lower security over no security when possible...

>I have not analyzed the risk or done a threat model on this issue but
>sha-1 is cryptographically weak and banned by ASF policy.? There is a
>ticket concerning asking for a variance but I am at best, neutral on
>that idea.
>
>Key to the issue is I fail to see how the highly intrusive security work
>done for 3.4.3 can possibly be backported.?
>
>My recommendation remains a strong: upgrade to 3.4.4.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available [ In reply to ]
I'd like to remind everyone to not use --nogpg option for sa-update,
especially if you keep using older vulnerable SA versions. There are many
bad scripts and examples found with Google that use it for no real reason.

If you use some third party channel that does not PGP sign their rules,
might be wise not to use it at all.

Same goes for --allowplugins which should never be used.

Cheers,
Henrik

On Wed, Jan 29, 2020 at 02:12:01PM -0500, Kevin A. McGrail wrote:
> On behalf of the Apache SpamAssassin Project, I am pleased to announce
> version 3.4.4 is available.
>
> Release Notes -- Apache SpamAssassin -- Version 3.4.4
>
> Introduction
> ------------
>
> Apache SpamAssassin 3.4.4 is primarily a security release.
>
> In this release, there are bug fixes for two CVEs.
>
> *** On March 1, 2020, we will stop publishing rulesets with SHA-1
> signatures.
> ??? If you do not update to 3.4.2 or later, you will be stuck at the last
> ??? ruleset with SHA-1 signatures. ***
>
> Many thanks to the committers, contributors, rule testers, mass checkers,
> and code testers who have made this release possible.
>
> Notable features:
> =================
>
> None noted.
>
>
> Notable changes
> ---------------
>
> In addition to two CVEs which shall be announced separately, this release
> includes fixes for the following:
>
> ? - Improvements to OLEVBMacro
> ? - Fix for CRLF handling with SpamAssMilter & DKIM
> ? - Small fix for a regexp to provide Perl 5.8.x compatability again
> ? - Increased fns_extrachars default value to 50
> ? - Fixed nosubject and maxhits tflags when sa-compile is used
> ? - Limited the Bayes parsed token count
> ? - Improvements to whitespace trimming
>
> New configuration options
> -------------------------
>
> None noted.
>
> Notable Internal changes
> ------------------------
>
> None noted.
>
> Other updates
> -------------
>
> None noted.
>
> Optimizations
> -------------
>
> None noted.
>
>
> Downloading and availability
> ----------------------------
>
> Downloads are available from:
>
> https://spamassassin.apache.org/downloads.cgi
>
> ? XXX - To be added when built
>
> Note that the *-rules-*.tgz files are only necessary if you cannot,
> or do not wish to, run "sa-update" after install to download the latest
> fresh rules.
>
> See the INSTALL and UPGRADE files in the distribution for important
> installation notes.
>
>
> GPG Verification Procedure
> --------------------------
> The release files also have a .asc accompanying them.? The file serves
> as an external GPG signature for the given release file.? The signing
> key is available via the wwwkeys.pgp.net key server, as well as
> https://www.apache.org/dist/spamassassin/KEYS
>
>
>
> The following key is used to sign releases after, and including SA 3.3.0:
>
> pub?? 4096R/F7D39814 2009-12-02
> ????? Key fingerprint = D809 9BC7 9E17 D7E4 9BC2? 1E31 FDE5 2F40 F7D3 9814
> uid????????????????? SpamAssassin Project Management Committee
> <private@spamassassin.apache.org>
> uid????????????????? SpamAssassin Signing Key (Code Signing Key,
> replacement for 1024D/265FA05B) <dev@spamassassin.apache.org>
> sub?? 4096R/7B3265A5 2009-12-02
>
> The following key is used to sign rule updates:
>
> pub?? 4096R/5244EC45 2005-12-20
> ????? Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78? DFDC 4056 A61A 5244 EC45
> uid????????????????? updates.spamassassin.org Signing Key
> <release@spamassassin.org>
> sub?? 4096R/24F434CE 2005-12-20
>
> To verify a release file, download the file with the accompanying .asc
> file and run the following commands:
>
> ? gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
> ? gpg --verify Mail-SpamAssassin-3.4.4.tar.bz2.asc
> ? gpg --fingerprint F7D39814
>
> Then verify that the key matches the signature.
>
> Note that older versions of gnupg may not be able to complete the steps
> above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
> worked flawlessly.
>
> See https://www.apache.org/info/verification.html for more information
> on verifying Apache releases.
>
>
> About Apache SpamAssassin
> -------------------------
>
> Apache SpamAssassin is a mature, widely-deployed open source project
> that serves as a mail filter to identify spam. SpamAssassin uses a
> variety of mechanisms including mail header and text analysis, Bayesian
> filtering, DNS blocklists, and collaborative filtering databases. In
> addition, Apache SpamAssassin has a modular architecture that allows
> other technologies to be quickly incorporated as an addition or as a
> replacement for existing methods.
>
> Apache SpamAssassin typically runs on a server, classifies and labels
> spam before it reaches your mailbox, while allowing other components of
> a mail system to act on its results.
>
> Most of the Apache SpamAssassin is written in Perl, with heavily
> traversed code paths carefully optimized. Benefits are portability,
> robustness and facilitated maintenance. It can run on a wide variety of
> POSIX platforms.
>
> The server and the Perl library feels at home on Unix and Linux platforms
> and reportedly also works on MS Windows systems under ActivePerl.
>
> For more information, visit https://spamassassin.apache.org/
>
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides
> organizational, legal, and financial support for more than 100
> freely-available, collaboratively-developed Open Source projects. The
> pragmatic Apache License enables individual and commercial users to
> easily deploy Apache software; the Foundation's intellectual property
> framework limits the legal exposure of its 2,500+ contributors.
>
> For more information, visit https://www.apache.org/
>
> --
> Kevin A. McGrail
> KMcGrail@Apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171