Download SpamAssassin 3.2.1 / 3.1.9

SpamAssassin is a spam filter, written in Perl, that allows a mail server to recognize spam messages. For this, a number of known methods are combined to stop different species. It examines the content of the message and uses a self-learning filter to determine whether the message is spam or not, and it also enlists the help of a number of blacklists and distributed hash databases on the internet. The developers have released versions 3.2.1 and 3.1.9 that fix a potential Denial of Service and provide the following changes:

Version 3.2.1:

3.2.1 is a major bug fix release, including a potential local DoS. The major highlights are:

• bug 5480: fix for CVE-2007-2873: a local user symlink-attack DoS vulnerability. It only affects systems where spamd is run as root, is used with vpopmail or virtual users via the “-v”/”–vpopmail” OR “–virtual-config-dir” switch, AND with the “-x”/ “–no-user-config AND WITHOUT the “-u”/”–username” switch AND with the “-l”/”–allow-tell” switch. This is not default on any distro package, and is not a common configuration.
• bug 5488: zero some rules causing false positives: FH_HOST_EQ_D_D_D_DB and FH_HOST_EQ_D_D_D_D.
• bug 5257: re-raise autolearn ham threshold to 1.0; the lower value used in 3.2.0 was creating problems.
• bug 5422: in spamd, deleting hash entries from the SIGCHLD signal handler is unsafe, causes corruption of the data structure, and results in ‘prefork: ordered child N to accept, but they reported state ‘1’, killing rogue’ errors. fix.
• bug 5102: tighten up regexp for FORGED_HOTMAIL_RCVD to avoid some FPs.
• bug 5457: spamc build and test should handle not having zlib available.
• bug 5379: spamd could crash at startup if its preloading temporary directory already exists. fix.
• bug 4616: spamc config can cause command line options to be ignored. fix.
• bug 5485: zero score DK/DKIM_POLICY_SIGNSOME rules since they’ll always fire due to defaults (unless there’s an explicit SIGNALL policy).
• bug 5492: VBounce rule was looking in header instead of body for whitelisted relays. fix.
• bug 5487: prevent multiple “urirhssub”s using the same zone from overwriting each other.
• bug 5432 – Change default in Win32 build to not build spamc.
• bug 5446: add –updatedir option to sa-compile and remove inaccurate re2c required version info from pod.
• bug 5436: add omitted “ifplugin” statements to the configuration, which would otherwise cause lint errors if the default plugins were disabled.
• bug 5477: prevent Rule2XSBody info message from appearing under stderr during spamd startup.

Version 3.1.9:

3.1.9 is a major bug fix release, including a potential local DoS. The major highlights are:

• bug 5480: fix for CVE-2007-2873: a local user symlink-attack DoS vulnerability. It only affects systems where spamd is run as root, is used with vpopmail or virtual users via the “-v”/”–vpopmail” OR “–virtual-config-dir” switch, AND with the “-x”/ “–no-user-config AND WITHOUT the “-u”/”–username” switch AND with the “-l”/”–allow-tell” switch. This is not default on any distro package, and is not a common configuration.
• bug 5353 – meta rule parsing should handle not equal (“!=”) syntax.
• set the score for URI_TRUNCATED to 0.001.
• bug 5337: change the start order for Fedora such that spamd starts before the MTA.

[break]The following two files can be downloaded:
SpamAssassin 3.2.1
SpamAssassin 3.1.9