SpamAssassin 3.4.2

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
905
Location
🇳🇱
Yes, you read it correctly. A new SpamAssassin update after 3.5 years:

2018-09-16: SpamAssassin 3.4.2 has been released! This release contains numerous tweaks and bug fixes over the past three and 1/2 years including:

- sa-update now uses SHA-256 & SHA-512 hashing to verify rule updates;
- 4 new plugins; and
- Four CVE security bug fixes: CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781.

https://mail-archives.apache.org/[email protected]>

Also important;

However, there is one specific pressing reason to upgrade.
Specifically, we
will stop producing SHA-1 signatures for rule updates. This means that
while
we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update.

*** If you do not update to 3.4.2, you will be stuck at the last ruleset
with SHA-1 signatures in the near future. ***

https://spamassassin.apache.org
 
Last edited:
Added to files1.

Note that older boxes like CentOS 5 will have issues, since the mirrors use https and don't accept TLS 1.0, so the sa-updates rules updates (and MIRRORED.BY) downloads will fail.
As you shouldn't be using those older OS's anyway, no extra checks were added into CustomBuild to block them (in case you are able to update things manually).

I've also enabled 3 of the 4 new plugins by default in this file:
Code:
/etc/mail/spamassassin/v342.pre
  • HashBL
  • FromNameSpoof
  • Phishing
But left out ResourceLimits because it needs BSD::Resource which is not usually installed by default, so the spamd wouldn't be happy and would throw errors.

John
 
Received one error during update:
Code:
Enabling new SA plugins
Running sa-update.
plugin: failed to parse plugin (from @INC): Can't locate version.pm in @INC (@INC contains: /usr/share/perl5 /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5) at /usr/share/perl5/Mail/SpamAssassin/Plugin/AskDNS.pm line 194.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/AskDNS.pm line 194.
Compilation failed in require at (eval 140) line 1.

channel: could not find working mirror, channel failed
plugin: failed to parse plugin (from @INC): Attempt to reload Mail/SpamAssassin/Plugin/AskDNS.pm aborted.
Compilation failed in require at (eval 218) line 1.
 
I did not get any errors on my Centos 7 server, but after upgrade it still shows the old version:

Code:
[root@server custombuild]# spamassassin -V
SpamAssassin version 3.4.1
  running on Perl version 5.16.3

I even did "killall -9 spamd". Then I did ./build spammassassin a second time, but still it shows the old versions when doing: spamassassin -V

However when sending av test email and looking at the header source, it correctly display the correct version:

Code:
X-Spam-Checker-Version: SpamAssassin 3.4.2

Anybody know how to get the correct version when doing spamassassin -V?
 
I needed to upgrade all cpan modules, then I recompiled spamassassin in custombuild, and now it shows correct version.
 
Sa_update now always exits with a code 4:
Code:
ep 19 14:13:37.142 [31459] dbg: channel: reading MIRRORED.BY file /var/lib/spamassassin/3.004002/sought_rules_yerp_org/MIRRORED.BY
Sep 19 14:13:37.142 [31459] dbg: channel: parsing MIRRORED.BY file for channel sought.rules.yerp.org
Sep 19 14:13:37.142 [31459] dbg: channel: found mirror http://rules.yerp.org.s3.amazonaws.com/rules/stage/
Sep 19 14:13:37.146 [31459] dbg: dns: query failed: rules.yerp.org.s3.amazonaws.com/rules/stage => NXDOMAIN
Sep 19 14:13:37.147 [31459] dbg: dns: query failed: rules.yerp.org.s3.amazonaws.com/rules/stage => NXDOMAIN
Sep 19 14:13:37.148 [31459] dbg: generic: reject mirror http://rules.yerp.org.s3.amazonaws.com/rules/stage: no common address family (IPv4 IPv6)
channel: could not find working mirror, channel failed
Sep 19 14:13:37.148 [31459] dbg: channel: attempting channel updates.spamassassin.org
Sep 19 14:13:37.148 [31459] dbg: channel: using existing directory /var/lib/spamassassin/3.004002/updates_spamassassin_org
Sep 19 14:13:37.148 [31459] dbg: channel: channel cf file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf
Sep 19 14:13:37.148 [31459] dbg: channel: channel pre file /var/lib/spamassassin/3.004002/updates_spamassassin_org.pre
Sep 19 14:13:37.148 [31459] dbg: channel: metadata version = 1841199, from file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf
Sep 19 14:13:37.150 [31459] dbg: dns: 2.4.3.updates.spamassassin.org => 1841199, parsed as 1841199
Sep 19 14:13:37.150 [31459] dbg: channel: current version is 1841199, new version is 1841199, skipping channel
Sep 19 14:13:37.150 [31459] dbg: generic: cleaning up temporary directory/files
Sep 19 14:13:37.150 [31459] dbg: generic: cleaning directory /tmp/.spamassassin31459njMI6mtmp
Sep 19 14:13:37.150 [31459] dbg: diag: updates complete, exiting with code 4
http://rules.yerp.org.s3.amazonaws.com/rules/stage Always outputs an AccessDenied code anyway here:
Code:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>30AF136D5A904247</RequestId>
<HostId>
062OjxG0R+uLE9KuX602BeU16SqD1TeHlEknd0NYnszcN7L+V0Xt+d2ZHMlrAH3xhDQTGFNz8kQ=
</HostId>
</Error>
 
Last edited:
@tristan, It works for me on my CentOS 7 servers, maybe you are just unlucky with the mirrors? Maybe it help to force refreshing the mirror with:

Code:
sa-update --refreshmirrors

Here is my output wich shows exit code 1 (becausee I already had the newest updates):

Code:
[root@server ~]# sa-update -D
Sep 19 18:07:07.836 [30395] dbg: logger: adding facilities: all
Sep 19 18:07:07.836 [30395] dbg: logger: logging level is DBG
Sep 19 18:07:07.836 [30395] dbg: generic: SpamAssassin version 3.4.2
Sep 19 18:07:07.837 [30395] dbg: generic: Perl 5.016003, PREFIX=/usr/local, DEF_RULES_DIR=/usr/local/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin
Sep 19 18:07:07.837 [30395] dbg: config: timing enabled
Sep 19 18:07:07.839 [30395] dbg: config: score set 0 chosen.
Sep 19 18:07:07.843 [30395] dbg: generic: sa-update version 3.4.2 / svn1840377
Sep 19 18:07:07.843 [30395] dbg: generic: using update directory: /var/lib/spamassassin/3.004002
Sep 19 18:07:07.952 [30395] dbg: diag: perl platform: 5.016003 linux
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Digest::SHA, version 6.02
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: HTML::Parser, version 3.72
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Net::DNS, version 1.17
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: NetAddr::IP, version 4.079
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Time::HiRes, version 1.9758
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Archive::Tar, version 2.32
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: IO::Zlib, version 1.10
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Digest::SHA1, version 2.13
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: MIME::Base64, version 3.15
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module not installed: DB_File ('require' failed)
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Net::SMTP, version 3.11
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module not installed: Mail::SPF ('require' failed)
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Geo::IP, version 1.51
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Net::CIDR::Lite, version 0.21
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: Razor2::Client::Agent, version 2.84
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: IO::Socket::IP, version 0.39
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: IO::Socket::INET6, version 2.72
Sep 19 18:07:07.952 [30395] dbg: diag: [...] module installed: IO::Socket::SSL, version 2.060
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: Compress::Zlib, version 2.081
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: Mail::DKIM, version 0.53
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: DBI, version 1.641
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: Getopt::Long, version 2.5
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: LWP::UserAgent, version 6.35
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: HTTP::Date, version 6.02
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: Encode::Detect::Detector, version 1.01
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: Net::Patricia, version 1.22
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module installed: Net::DNS::Nameserver, version 1692
Sep 19 18:07:07.953 [30395] dbg: diag: [...] module not installed: BSD::Resource ('require' failed)
Sep 19 18:07:07.954 [30395] dbg: gpg: Searching for 'gpg'
Sep 19 18:07:07.954 [30395] dbg: util: current PATH is: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Sep 19 18:07:07.954 [30395] dbg: util: executable for gpg was found at /usr/bin/gpg
Sep 19 18:07:07.954 [30395] dbg: gpg: found /usr/bin/gpg
Sep 19 18:07:07.954 [30395] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 0C2B1D7175B852C64B3CDC716C55397824F434CE
Sep 19 18:07:07.955 [30395] dbg: util: secure_tmpfile created a temporary file /tmp/.spamassassin30395y4fvBTtmp
Sep 19 18:07:07.955 [30395] dbg: channel: attempting channel updates.spamassassin.org
Sep 19 18:07:07.955 [30395] dbg: channel: using existing directory /var/lib/spamassassin/3.004002/updates_spamassassin_org
Sep 19 18:07:07.955 [30395] dbg: channel: channel cf file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf
Sep 19 18:07:07.955 [30395] dbg: channel: channel pre file /var/lib/spamassassin/3.004002/updates_spamassassin_org.pre
Sep 19 18:07:07.955 [30395] dbg: channel: metadata version = 1841199, from file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf
Sep 19 18:07:08.203 [30395] dbg: dns: 2.4.3.updates.spamassassin.org => 1841199, parsed as 1841199
Sep 19 18:07:08.203 [30395] dbg: channel: current version is 1841199, new version is 1841199, skipping channel
Sep 19 18:07:08.203 [30395] dbg: diag: updates complete, exiting with code 1
[root@server ~]# sa-update -v
Update finished, no fresh updates were available
[root@server ~]#
 
Hmm.. I think it's the sought.rules.yerp.org channel.
Check your /etc/cron.daily/sa_update (or cron.weekly, or cron.monthly), as it calls:
Code:
/usr/bin/sa-update -D --nogpg --channel sought.rules.yerp.org --channel updates.spamassassin.org
and when you remove the other channel, so it looks like this:
Code:
/usr/bin/sa-update -D --nogpg --channel updates.spamassassin.org
it should return 1..

Here are the errors from that channel
Code:
Sep 19 20:37:11.492 [10060] dbg: channel: reading MIRRORED.BY file /var/lib/spamassassin/3.004002/sought_rules_yerp_org/MIRRORED.BYSep 19 20:37:11.492 [10060] dbg: channel: parsing MIRRORED.BY file for channel sought.rules.yerp.org
Sep 19 20:37:11.492 [10060] dbg: channel: found mirror http://rules.yerp.org.s3.amazonaws.com/rules/stage/
Sep 19 20:37:11.502 [10060] dbg: dns: query failed: rules.yerp.org.s3.amazonaws.com/rules/stage => NXDOMAIN
Sep 19 20:37:11.509 [10060] dbg: dns: query failed: rules.yerp.org.s3.amazonaws.com/rules/stage => NXDOMAIN
Sep 19 20:37:11.509 [10060] dbg: generic: reject mirror http://rules.yerp.org.s3.amazonaws.com/rules/stage: no common address family (IPv4 IPv6)
channel: could not find working mirror, channel failed

The call to to
Code:
sa-update --refreshmirrors
doesn't affect it, as the channel is explicitly set.

I've not yet been able to find any info on if that channel SHOULD be working, in which case, they'd need to setup the mirror and A records.
Or if it no longer supported for 3.4.2.

I suspect the normal updates.spamassassin.org are still updating fine, so the code 4 in this case might not be a "total failure", just that specific channel.
That also explains why the basic "sa-update -D" works fine.

We'll need more info on the above, if it's just a bug which will be fixed, or if it's no longer supported, in which case we'd need to drop it from the sa-updates list in both the build script, and the /etc/cron.daily/sa-update script.

I'll keep hunting, but if anyone else knows, let me know :)

John
 
Hello,

Faced the error too:

Code:
Sep 20 08:31:08.739 [26951] dbg: sha512: verification wanted: b0f7a7cd16424290cb81474bc6736f5f38b044b0ad13a73b7898b61a09f493aeb77d0aafac1dfe2a889fb6f875c6b6c2c507df6963e4ea8ef02d83d31a1e0a57
Sep 20 08:31:08.739 [26951] dbg: sha512: verification result: 85cc6c026585d43f39e297c3dfc967efeddbe1bb2a616391a606dbc902b71e234f96b1cbdf316a2d7b794d14af129b85be24d2a32b3ba641d20e74b6ffb62276
[B]channel: SHA512 verification failed, channel failed[/B]
...
...
...
Sep 20 08:31:08.739 [26951][B] dbg: diag: updates complete, exiting with code 4[/B]



This worked for me:

Code:
rm -rf /var/lib/spamassassin/3.004002/updates_spamassassin_org/
sa-update -D
 
I've not yet been able to find any info on if that channel SHOULD be working, in which case, they'd need to setup the mirror and A records.
Or if it no longer supported for 3.4.2.

I suspect the normal updates.spamassassin.org are still updating fine, so the code 4 in this case might not be a "total failure", just that specific channel.
That also explains why the basic "sa-update -D" works fine.

We'll need more info on the above, if it's just a bug which will be fixed, or if it's no longer supported, in which case we'd need to drop it from the sa-updates list in both the build script, and the /etc/cron.daily/sa-update script.

I'll keep hunting, but if anyone else knows, let me know :)

John

I think that one is no longer published:

https://mail-archives.apache.org/mod_mbox/spamassassin-users/201809.mbox/%[email protected]%3e

Maybe we should remove the --nogpg part in the cron file as well? This seems to be working ok:

Code:
/usr/bin/sa-update -D --channel updates.spamassassin.org
 
Last edited:
CentOS 6.10

Code:
spamassassin -V

SpamAssassin version 3.4.2
  running on Perl version 5.10.1

working fine (?) after upgrade but in /var/log/maillog during message scanning:

Code:
Sep 20 11:50:38 spamd[13369]: Use of uninitialized value $( in numeric ne (!=) at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1510, <GEN8> line 23.
Sep 20 11:50:38 spamd[13369]: Use of uninitialized value $( in concatenation (.) or string at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1513, <GEN8> line 23.
Sep 20 11:50:38 spamd[13369]: util: setuid: ruid=507 euid=507 rgid=510 egid=510 
Sep 20 11:50:38 spamd[13370]: Use of uninitialized value $( in numeric ne (!=) at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1510.
Sep 20 11:50:38 spamd[13370]: Use of uninitialized value $( in concatenation (.) or string at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1513.
 
Centos 6.10.

Updated all cpan modules.
Did the sa-update -D --channel updates.spamassassin.org

Still when doing a ./build spamassassin this error keeps appearing:
Code:
Enabling new SA plugins
Running sa-update.
channel: could not find working mirror, channel failed

How can it be fixed?

Spamassassin -V does say 3.4.2 though.
 
It is only the cron job that will not be able to update the rules, if you manually do "sa-update -v" it will work.

Please see reply #9: you need to remove --channel sought.rules.yerp.org from /etc/cron.daily/sa_update, also see reply #11 that shows that channel is no longer published
 
@zEitEr:
Tried that too, still get the same notice when doing ./build spamassassin.

@Ditto: Just removed that line from cron, but cron is not used when building spamassassin.

Manually doing sa-update -v is working fine, but I'm wondering why the building of spamassassin gives that error everytime.
But if I don't have to worry about that it's fine by me too. :)
 
I guess it is because custombuild has included sought.rules.yerp.org when installing SpamAssassin.
 
I guess it is because custombuild has included sought.rules.yerp.org when installing SpamAssassin.
Almost feels like these updates aren’t tested before release on CB at all by the DirectAdmin. Maybe they should hire an email specialist again? Jeff’s absense really begins to show.
 
Ouch! :)

Sorry for the annoyance, I understand your frustration, and yes, that's on me.

In case it was unclear, we did test on the various systems, as usual.
We had to decide between not releasing the critical security updates and servers getting hacked, versus an annoying message that doesn't break spamd from running, which can still be investigated. All tested boxes (except older EOL OSs, like CentOS 5, listed in the release notes) continued to run spamd with no errors in /var/log/maillog, after the update.

The yerp issue has yet to be fully resolved, but the lack of information on if sought.rules.yerp.org is just slow in updating to the new version of SpamAssassin, or if they don't plan to support it at all is still unknown. For now, I have updated CustomBuild to not make that call to sought.rules.yerp.org. Once we know more, we can make the required permanent changes.
Changes are on files1, mirrors will sync within 24 hours.

At the end of the day, security trumps annoyances, especially when it still runs without issue, as a downed mirror shouldn't topple everything (let me know if you've experienced otherwise).

For reference, NOT updating would possibly cause:
1) Denial of service attack: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
2) Possible trojan horse: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1238
3) Remote code execution with PDFInfo plugin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11780
4) Local code inject: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11781

which is all now public information, hence the urgency to get it out, just not so urgent that it wasn't tested, that would obviously be dangerous :)

Anyway, apologies again for the confusion.

John
 
Back
Top