highlights are:
- bug 5318: fix for CVE-2007-0451: possible DoS due to incredibly
long URIs found in the message content.
- bug 5240: disable perl module usage in update channels unless
--allowplugins is specified
- bug 5288: files with names starting/ending in whitespace weren't usable
- bug 5056: remove Text::Wrap related code due to upstream issues
- bug 5145: update spamassassin and sa-learn to better deal with STDIN
- bug 5140 and 5179: improvements and bug fixes related to DomainKeys
and DKIM support
- several updates for Received header parsing
- several documentation updates and random taint-variable related issues
A more detailed change log can be read here:
http://svn.apache.org/repos/asf/spamassassin/branches/3.1/Changes
ok nikolay
- Add gnupg dependency.
- Better location for the updates: /var/db/spamassassin
- Install sa-update's default GnuPG keys as config files, so that they
will be removed upon pkg_delete.
- Remove /var/db/spamassassin using @extraunexec.
Specify minimum versions for some dependencies while here.
from maintainer Andreas Vogele <andreas at altroot.de>
looks fine naddy@
---cut---
Well, I was going to wait until 2.50 release, but it seems to be taking and
this likely affects only few installations. Besides, it's been in their
public bugzilla for over a month. So:
Attacker may be able to execute arbitrary code by sending a specially
crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode
(-B option). Versions from 2.40 to 2.43 are affected.
Exim users especially should check if they're affected, the -B option is
used in several Exim+SpamAssassin HOWTOs.
The problem is with escaping '.' characters at the beginning of lines.
Off-by-one bounds checking error allows writing '.' character past a
buffer, overwriting the stack frame address. Depending on system this may
be exploitable. Pre-built Debian unstable/x86 package wasn't vulnerable, my
self compiled was.
---cut---
--
The #1 big change:
- SpamAssassin now *REQUIRES* procmail for local delivery support;
-P option is now the default. Unless you use procmail,
Mail::Audit, KMail, or an MTA-level integration, do not upgrade
From maintainer, Han Boetes <han@boetes.org>
SpamAssassin is a mail filter to identify spam.
Using its rule base, it uses a wide range of heuristic tests on
mail headers and body text to identify "spam", also known as
unsolicited commercial email.
