Spamassassin 3.4.2 has been announced, fixing several security issues: https://www.openwall.com/lists/oss-security/2018/09/16/1
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing one committer.
CC: (none) => marja11, shlomifAssignee: bugsquad => pkg-bugs
shlomif has pushed the 3.4.2 version to cauldron so that should be good for this branch.
CC: (none) => bruno
I pushed the same version in 6 core/updates_testing
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated spamassassin package fixes security vulnerabilities: A reliance on "." in @INC in one configuration script (CVE-2016-1238). A denial of service vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts (CVE-2017-15705). A potential Remote Code Execution bug with the PDFInfo plugin (CVE-2018-11780). A local user code injection in the meta rule syntax (CVE-2018-11781). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781 https://www.openwall.com/lists/oss-security/2018/09/16/1 ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.2-1.1.mga6 spamassassin-sa-compile-3.4.2-1.1.mga6 spamassassin-tools-3.4.2-1.1.mga6 spamassassin-spamd-3.4.2-1.1.mga6 spamassassin-spamc-3.4.2-1.1.mga6 perl-Mail-SpamAssassin-3.4.2-1.1.mga6 perl-Mail-SpamAssassin-Spamd-3.4.2-1.1.mga6 from spamassassin-3.4.2-1.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
RedHat has issued an advisory for two of these issues on October 11: https://access.redhat.com/errata/RHSA-2018:2916
Fedora has issued an advisory for this on September 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WQLOB65TXVE2WTAWI7HSIN5YFEPE5JCY/
Installed and tested but it seem to NOT be working. TL;DR: spamassassin is not working. The spam score is zero and the test is "none" for all messages. The rules package is for version 3.4.1 and do not seem to work with version 3.4.2. Maybe updating the package "spamassassin-rules" will solve this issue. System: Mageia 6, x86_64, Intel CPU. After the update to version 3.4.2, I noticed that, for all messages, the spam score was always ZERO and the tests where always "none". Before the update and after a downgrade to version 3.4.1, the messages have various scores and tests. Before update: ======================================= X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on marte.home X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,HTML_MESSAGE, T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1 ======================================= After update: ======================================= X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on marte.home X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.2 ======================================= After downgrade: ======================================= X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on marte.home X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,HTML_MESSAGE, T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1 --------------------------------------- X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on marte.home X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_50,HTML_MESSAGE, MIME_HTML_ONLY,RP_MATCHES_RCVD,T_OBFU_PDF_ATTACH autolearn=no autolearn_force=no version=3.4.1 ======================================= To try and debug the issue, I locked at the spam rules with spamassassin's lint feature and the result is as follows: ======================================= $ spamassassin --lint Oct 19 10:37:13.214 [8266] warn: config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.214 [8266] warn: config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.230 [8266] warn: config: configuration file "/usr/share/spamassassin/20_body_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.230 [8266] warn: config: configuration file "/usr/share/spamassassin/20_body_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_compensate.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_compensate.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dnsbl_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.231 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dnsbl_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.233 [8266] warn: config: configuration file "/usr/share/spamassassin/20_drugs.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.233 [8266] warn: config: configuration file "/usr/share/spamassassin/20_drugs.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.235 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dynrdns.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.235 [8266] warn: config: configuration file "/usr/share/spamassassin/20_dynrdns.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.236 [8266] warn: config: configuration file "/usr/share/spamassassin/20_fake_helo_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.236 [8266] warn: config: configuration file "/usr/share/spamassassin/20_fake_helo_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.260 [8266] warn: config: configuration file "/usr/share/spamassassin/20_head_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.260 [8266] warn: config: configuration file "/usr/share/spamassassin/20_head_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.263 [8266] warn: config: configuration file "/usr/share/spamassassin/20_html_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.263 [8266] warn: config: configuration file "/usr/share/spamassassin/20_html_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.268 [8266] warn: config: configuration file "/usr/share/spamassassin/20_meta_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.268 [8266] warn: config: configuration file "/usr/share/spamassassin/20_meta_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.269 [8266] warn: config: configuration file "/usr/share/spamassassin/20_net_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.269 [8266] warn: config: configuration file "/usr/share/spamassassin/20_net_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.271 [8266] warn: config: configuration file "/usr/share/spamassassin/20_phrases.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.271 [8266] warn: config: configuration file "/usr/share/spamassassin/20_phrases.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.272 [8266] warn: config: configuration file "/usr/share/spamassassin/20_porn.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.272 [8266] warn: config: configuration file "/usr/share/spamassassin/20_porn.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.282 [8266] warn: config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.282 [8266] warn: config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.295 [8266] warn: config: configuration file "/usr/share/spamassassin/23_bayes.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.295 [8266] warn: config: configuration file "/usr/share/spamassassin/23_bayes.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.367 [8266] warn: config: configuration file "/usr/share/spamassassin/72_active.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.367 [8266] warn: config: configuration file "/usr/share/spamassassin/72_active.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.426 [8266] warn: config: configuration file "/usr/share/spamassassin/73_sandbox_manual_scores.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.22.3/Mail/SpamAssassin/Conf/Parser.pm line 407. Oct 19 10:37:13.426 [8266] warn: config: configuration file "/usr/share/spamassassin/73_sandbox_manual_scores.cf" requires version 3.004001 of SpamAssassin, but this is code version 3.004002. Maybe you need to use the -C switch, or remove the old config files? Skipping this file Oct 19 10:37:13.583 [8266] warn: lint: 17 issues detected, please rerun with debug enabled for more information ======================================= It seems the rules for "version 3.004001" are not used by "version 3.004002". Maybe this could be solved by also updating the rules package with the rules for the updated version. $ uname -a Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ # AFTER UPDATE $ rpm -qa | grep -i spamassassin | sort perl-Mail-SpamAssassin-3.4.2-1.1.mga6 spamassassin-3.4.2-1.1.mga6 spamassassin-rules-3.4.1-1.mga6 $ # AFTER DOWNGRADE $ rpm -qa | grep -i spamassassin | sort perl-Mail-SpamAssassin-3.4.1-3.mga6 spamassassin-3.4.1-3.mga6 spamassassin-rules-3.4.1-1.mga6
CC: (none) => mageia
I have updated spamassassin-rules for both mga6 and cauldron and it build locally. However it doesn't pass on the build system with that error: channel: no 'mirrors.updates.spamassassin.org' record found, channel failed I tried to mitigate that with tips from the spamassassin forum without much luck up to now. Still searching. I really dislike no-reproduceable builds made of on the fly download, it has all kind of possibilities to fail :-( Will see if I can replace that with something more stable. I have also modified spamassassin spec file to force the dep on spamassassin-rules 3.4.2 as it seems needed (hopefully test will confirm). [Q: I wonder what is the usage of the bootstrap mechanism in the spec file however. I think it coul d be removed but didn't want to touch for now] So test should be done with spamassassin-rules-3.4.2-1.1.mga6 and spamassassin-3.4.2-1.2.mga6 as soon as build works on build system.
spamassassin-3.4.2-1.2.mga6 spamassassin-sa-compile-3.4.2-1.2.mga6 spamassassin-tools-3.4.2-1.2.mga6 spamassassin-spamd-3.4.2-1.2.mga6 spamassassin-spamc-3.4.2-1.2.mga6 perl-Mail-SpamAssassin-3.4.2-1.2.mga6 perl-Mail-SpamAssassin-Spamd-3.4.2-1.2.mga6 still waiting on spamassassin-rules.
Keywords: (none) => feedback
Ok, so I used the standard way of building packages by just refering to the source file that should be used, and pushing it into SVN. Much more reliable IMHO. I still have to solve a circular dep between spamassassin and spamassassin-rules so it can be tested. Will update that BR as soon as it's solved (also asked help on the dev ML for that)
Seems to be now solved for cauldron. Packages uploaded: spamassassin-3.4.2-5.mga7 and spamassassin-rules-3.4.2-2.mga7
Upload in progress for mga6 as well: - spamassassin-rules-3.4.2-1.1.mga6 - spamassassin-3.4.2-1.5.mga6
Installed and tested without issues. Seems to be working. Messages are being tagged and spam seems to be detected adequately. ==================================== X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on marte.home X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,BODY_SINGLE_WORD, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.2 ==================================== $ uname -a Linux marte 4.14.76-desktop-1.mga6 #1 SMP Sat Oct 13 23:34:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin | sort perl-Mail-SpamAssassin-3.4.2-1.4.mga6 spamassassin-3.4.2-1.4.mga6 spamassassin-rules-3.4.2-1.1.mga6
Updated packages in core/updates_testing: ======================== spamassassin-3.4.2-1.5.mga6 spamassassin-sa-compile-3.4.2-1.5.mga6 spamassassin-tools-3.4.2-1.5.mga6 spamassassin-spamd-3.4.2-1.5.mga6 spamassassin-spamc-3.4.2-1.5.mga6 perl-Mail-SpamAssassin-3.4.2-1.5.mga6 perl-Mail-SpamAssassin-Spamd-3.4.2-1.5.mga6 spamassassin-rules-3.4.2-1.1.mga6 from SRPMS: spamassassin-3.4.2-1.5.mga6.src.rpm spamassassin-rules-3.4.2-1.1.mga6.src.rpm
Keywords: feedback => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. # systemctl start spamd # systemctl -l status spamd ● spamd.service - Spamassassin daemon Loaded: loaded (/usr/lib/systemd/system/spamd.service; enabled; vendor preset: enabled) Active: active (running) since wo 2018-10-24 10:16:06 CEST; 7s ago Process: 27873 ExecStart=/usr/bin/spamd --pidfile /run/spamd.pid $SPAMDOPTIONS (code=exited Main PID: 27888 (spamd) CGroup: /system.slice/spamd.service ├─27888 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /run/spamd.pid -d -c -m5 -H - ├─27949 spamd chil └─27950 spamd chil okt 24 10:15:55 xxx.yyyy.zzz systemd[1]: Starting Spamassassin daemon... okt 24 10:16:06 xxx.yyy.zzz systemd[1]: Started Spamassassin daemon. Figured out how to set thunderbird to use spamassassin in mozilla site, seems OK. Found test message in https://spamassassin.apache.org/gtube/, tried to send it to my gmail account, but I never receive it, guessing gmail filters it out? Investigating further.
CC: (none) => herman.viaene
Refering to bug 19491, had my hotmail account activated on test laptop with thunderbird. Spam messag does not get thru either, plain message is received OK.
A few people have already tested this update and I have used this update for over a week without issues so I'm going to mark it as OK (x86_64 from comment #13 and x86 from comment #15 and comment #16). Please unOK it if you think appropriate.
Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Looks good to me. Validating. Final package list in Comment 14, suggested advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0425.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED