Yes, you read it correctly. A new SpamAssassin update after 3.5 years:
https://mail-archives.apache.org/mod_mbox/spamassassin-announce/201809.mbox/<email@example.com>2018-09-16: SpamAssassin 3.4.2 has been released! This release contains numerous tweaks and bug fixes over the past three and 1/2 years including:
- sa-update now uses SHA-256 & SHA-512 hashing to verify rule updates;
- 4 new plugins; and
- Four CVE security bug fixes: CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781.
https://spamassassin.apache.orgHowever, there is one specific pressing reason to upgrade.
will stop producing SHA-1 signatures for rule updates. This means that
we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update.
*** If you do not update to 3.4.2, you will be stuck at the last ruleset
with SHA-1 signatures in the near future. ***