Apache SpamAssassin 3.1.8 released!
Apache SpamAssassin 3.1.8 was released on Wednesday. It would be a good idea for most people to update — especially those processing a lot of mail for a lot of users/domains. People using sa-update with channels from sources that they don’t particularly trust to adequately secure their channel to prevent it being compromised should also update. With versions prior to 3.1.8 a channel, that you use, compromised by a malicious party could turn your SpamAssassin install into a spambot (or anything else that could be done with privs sa-update or other SA software runs as on your machine). Cool. The spambot possibility is the reason I pushed for the new –allowcode option (disabled by default).
Speaking of sa-update channels. People using the “Openprotect” channel are shit-out-of-luck for now if they’re using 3.1.8. Apparently they publish a separate txt record for each version of SpamAssassin. Actually, it’s not even each version of SA that supports sa-update — only versions 3.1.3-3.1.7 are currently supported by their channel. I suspect that their free DNS provider (speaking of not totally secure channels — make sure you’re not disabling the gpg key check for this channel since they outsource their DNS) doesn’t allow wildcards. I don’t know why they wouldn’t anticipate new releases in advance, though, and add records for, say, versions up to 3.1.15, or at least one more than the version number in current release.
Oh yeah… people using the “Openprotect” channel may or may not be affected by the new “–allowcode” thing in sa-update. The “Openprotect” folks decided to enable 12 plugins for you in their updates. Some of these plugins aren’t enabled by default in the SA distro and sa-update now won’t load these plugins (using the loadplugin lines in the updates, anyway) without you including the “–allowcode” option in your call to sa-update. Depending on whether or not their rule files include the proper “ifplugin” lines the channel might not pass a lint (and thus not be installed) if you haven’t loaded the required plugins yourself in your system config (which sa-update now uses to load the plugins you’ve enabled in your setup when linting an update).
Now that I’ve probably pissed off everyone involved with the “Openprotect” channel and all those who use it (really that’s not my intention — I’m trying to give people a heads up so that they don’t waste a bunch of time trying to figure out what’s going on) I’ll point out that the SARE sa-update channels that I provide aren’t at all affected by any of this. My channels are also a lot more flexible… you get to pick your own rulesets. See this page for usage details or this post for why I set these channels up.
Add comment February 15th, 2007
