On Mon, Sep 17, 2018 at 09:14:43AM +0200, Giovanni Bechis wrote: > Hi, > update to latest version, this a major update, there are many new features > and a lot of bug fixed. > Some CVE has been fixed and a old SA versions will not be compatible with > new rules sooner or later. > I used several iterations of this diff in production, ok to put it in > before 6.4 ? > > More info here: > http://svn.apache.org/repos/asf/spamassassin/trunk/build/announcements/3.4.2.txt > > Thanks & Cheers > Giovanni
Works fine on my small setup. ok pea@ Any plans to backport CVE to -stable ? > Index: Makefile > =================================================================== > RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/Makefile,v > retrieving revision 1.109 > diff -u -p -r1.109 Makefile > --- Makefile 4 Sep 2018 12:46:15 -0000 1.109 > +++ Makefile 17 Sep 2018 06:59:30 -0000 > @@ -2,11 +2,10 @@ > > COMMENT= mailfilter to identify and mark spam > > -VER= 3.4.1 > +VER= 3.4.2 > DISTNAME= Mail-SpamAssassin-${VER} > PKGNAME= p5-${DISTNAME} > -REVISION= 15 > -RULESNAME= Mail-SpamAssassin-rules-${VER}.r1675274.tgz > +RULESNAME= Mail-SpamAssassin-rules-${VER}.r1840640.tgz > CATEGORIES= mail perl5 > > DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${RULESNAME} > @@ -33,8 +32,9 @@ COMMON_DEPENDS= www/p5-HTML-Parser>=3.3 > BUILD_DEPENDS= ${COMMON_DEPENDS} > RUN_DEPENDS= ${COMMON_DEPENDS} \ > devel/re2c \ > + devel/p5-BSD-Resource \ > p5-Mail-SPF-*|p5-Mail-SPF-Query-*:mail/p5-Mail-SPF \ > - net/p5-Geo-IP \ > + > p5-Geo-IP-*|p5-IP-Country-DB_File-*|p5-IP-Country-*:net/p5-Geo-IP \ > net/p5-Net-LibIDN \ > net/p5-Net-Patricia \ > security/gnupg \ > Index: distinfo > =================================================================== > RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/distinfo,v > retrieving revision 1.38 > diff -u -p -r1.38 distinfo > --- distinfo 30 Apr 2015 14:41:53 -0000 1.38 > +++ distinfo 17 Sep 2018 06:59:56 -0000 > @@ -1,4 +1,4 @@ > -SHA256 (Mail-SpamAssassin-3.4.1.tar.bz2) = > oMHJgI8GhLOJWU64ssy6zmSGVGWTST+TCMlVRWPRRlE= > -SHA256 (Mail-SpamAssassin-rules-3.4.1.r1675274.tgz) = > OC9+4WCpahWq5Vn1PfksNvLhdkexnFlU7+3oYUn40Ss= > -SIZE (Mail-SpamAssassin-3.4.1.tar.bz2) = 2710985 > -SIZE (Mail-SpamAssassin-rules-3.4.1.r1675274.tgz) = 270622 > +SHA256 (Mail-SpamAssassin-3.4.2.tar.bz2) = > zwMEWkmRdSFF7tAH51c38+TH80zyJdtBHOP9NZKA6No= > +SHA256 (Mail-SpamAssassin-rules-3.4.2.r1840640.tgz) = > jUgaIIHx5ioleSOPZrWNIST3ounzz6PUqisD/nsBmbs= > +SIZE (Mail-SpamAssassin-3.4.2.tar.bz2) = 2700016 > +SIZE (Mail-SpamAssassin-rules-3.4.2.r1840640.tgz) = 284758 > Index: patches/patch-Makefile_PL > =================================================================== > RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/patches/patch-Makefile_PL,v > retrieving revision 1.13 > diff -u -p -r1.13 patch-Makefile_PL > --- patches/patch-Makefile_PL 30 Apr 2015 14:41:53 -0000 1.13 > +++ patches/patch-Makefile_PL 13 Apr 2018 14:26:57 -0000 > @@ -1,7 +1,8 @@ > $OpenBSD: patch-Makefile_PL,v 1.13 2015/04/30 14:41:53 sthen Exp $ > ---- Makefile.PL.orig Tue Apr 28 20:57:01 2015 > -+++ Makefile.PL Thu Apr 30 14:25:54 2015 > -@@ -832,7 +832,7 @@ sub MY::install { > +Index: Makefile.PL > +--- Makefile.PL.orig > ++++ Makefile.PL > +@@ -856,7 +856,7 @@ sub MY::install { > > foreach (@code) { > # Add our install targets as a dependency to all top-level install > targets > Index: patches/patch-lib_Mail_SpamAssassin_BayesStore_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_BayesStore_pm > diff -N patches/patch-lib_Mail_SpamAssassin_BayesStore_pm > --- patches/patch-lib_Mail_SpamAssassin_BayesStore_pm 31 Oct 2017 07:41:51 > -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,15 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_BayesStore_pm,v 1.1 2017/10/31 > 07:41:51 giovanni Exp $ > - > -# bug 7340: remove expire flag after token expiration is done > - > -Index: lib/Mail/SpamAssassin/BayesStore.pm > ---- lib/Mail/SpamAssassin/BayesStore.pm.orig > -+++ lib/Mail/SpamAssassin/BayesStore.pm > -@@ -419,6 +419,7 @@ sub expire_old_tokens_trapped { > - dbg("bayes: $msg: $msg2"); > - } > - > -+ $self->remove_running_expire_tok(); > - return 1; > - } > - > Index: patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm > --- patches/patch-lib_Mail_SpamAssassin_Conf_Parser_pm 13 Mar 2018 > 07:51:59 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,218 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Conf_Parser_pm,v 1.2 2018/03/13 > 07:51:59 giovanni Exp $ > - > -Index: lib/Mail/SpamAssassin/Conf/Parser.pm > ---- lib/Mail/SpamAssassin/Conf/Parser.pm.orig > -+++ lib/Mail/SpamAssassin/Conf/Parser.pm > -@@ -142,15 +142,11 @@ use Mail::SpamAssassin::NetSet; > - > - use strict; > - use warnings; > --use bytes; > -+# use bytes; > - use re 'taint'; > - > --use vars qw{ > -- @ISA > --}; > -+our @ISA = qw(); > - > --@ISA = qw(); > -- > - ########################################################################### > - > - sub new { > -@@ -263,6 +259,7 @@ sub parse { > - while (defined ($line = shift @conf_lines)) { > - local ($1); # bug 3838: prevent random taint flagging of $1 > - > -+ if (index($line,'#') > -1) { > - # bug 5545: used to support testing rules in the ruleqa system > - if ($keepmetadata && $line =~ /^\#testrules/) { > - $self->{file_scoped_attrs}->{testrules}++; > -@@ -278,8 +275,12 @@ sub parse { > - > - $line =~ s/(?<!\\)#.*$//; # remove comments > - $line =~ s/\\#/#/g; # hash chars are escaped, so unescape them > -+ } > -+ > -+ if ($line =~ tr{ \t\r\n\f}{}) { > - $line =~ s/^\s+//; # remove leading whitespace > - $line =~ s/\s+$//; # remove tailing whitespace > -+ } > - next unless($line); # skip empty lines > - > - # handle i18n > -@@ -288,7 +289,7 @@ sub parse { > - my($key, $value) = split(/\s+/, $line, 2); > - $key = lc $key; > - # convert all dashes in setting name to underscores. > -- $key =~ s/-/_/g; > -+ $key =~ tr/-/_/; > - $value = '' unless defined($value); > - > - # # Do a better job untainting this info ... > -@@ -338,26 +339,26 @@ sub parse { > - } > - > - # now handle the commands. > -- if ($key eq 'include') { > -+ elsif ($key eq 'include') { > - $value = $self->fix_path_relative_to_current_file($value); > - my $text = $conf->{main}->read_cf($value, 'included file'); > - unshift (@conf_lines, split (/\n/, $text)); > - next; > - } > - > -- if ($key eq 'ifplugin') { > -+ elsif ($key eq 'ifplugin') { > - $self->handle_conditional ($key, "plugin ($value)", > - \@if_stack, \$skip_parsing); > - next; > - } > - > -- if ($key eq 'if') { > -+ elsif ($key eq 'if') { > - $self->handle_conditional ($key, $value, > - \@if_stack, \$skip_parsing); > - next; > - } > - > -- if ($key eq 'else') { > -+ elsif ($key eq 'else') { > - # TODO: if/else/else won't get flagged here :( > - if (!@if_stack) { > - $parse_error = "config: found else without matching conditional"; > -@@ -369,7 +370,7 @@ sub parse { > - } > - > - # and the endif statement: > -- if ($key eq 'endif') { > -+ elsif ($key eq 'endif') { > - my $lastcond = pop @if_stack; > - if (!defined $lastcond) { > - $parse_error = "config: found endif without matching conditional"; > -@@ -508,7 +509,7 @@ sub handle_conditional { > - my $conf = $self->{conf}; > - > - my $lexer = ARITH_EXPRESSION_LEXER; > -- my @tokens = ($value =~ m/($lexer)/g); > -+ my @tokens = ($value =~ m/($lexer)/og); > - > - my $eval = ''; > - my $bad = 0; > -@@ -573,6 +574,10 @@ sub cond_clause_plugin_loaded { > - > - sub cond_clause_can { > - my ($self, $method) = @_; > -+ if ($self->{currentfile} =~ q!/user_prefs$! ) { > -+ warn "config: 'if can $method' not available in user_prefs"; > -+ return 0 > -+ } > - $self->cond_clause_can_or_has('can', $method); > - } > - > -@@ -591,7 +596,7 @@ sub cond_clause_can_or_has { > - } elsif ($method =~ /^(.*)::([^:]+)$/) { > - no strict "refs"; > - my($module, $meth) = ($1, $2); > -- return 1 if UNIVERSAL::can($module,$meth) && > -+ return 1 if $module->can($meth) && > - ( $fn_name eq 'has' || &{$method}() ); > - } else { > - $self->lint_warn("bad 'if' line, cannot find '::' in $fn_name($method), > ". > -@@ -984,14 +989,14 @@ sub _meta_deps_recurse { > - > - # Lex the rule into tokens using a rather simple RE method ... > - my $lexer = ARITH_EXPRESSION_LEXER; > -- my @tokens = ($rule =~ m/$lexer/g); > -+ my @tokens = ($rule =~ m/$lexer/og); > - > - # Go through each token in the meta rule > - my $conf_tests = $conf->{tests}; > - foreach my $token (@tokens) { > - # has to be an alpha+numeric token > -- # next if $token =~ /^(?:\W+|[+-]?\d+(?:\.\d+)?)$/; > -- next if $token !~ /^[A-Za-z_][A-Za-z0-9_]*\z/s; # faster > -+ next if $token =~ tr{A-Za-z0-9_}{}c || substr($token,0,1) =~ > tr{A-Za-z_}{}c; # even faster > -+ > - # and has to be a rule name > - next unless exists $conf_tests->{$token}; > - > -@@ -1178,25 +1183,25 @@ sub add_test { > - my $conf = $self->{conf}; > - > - # Don't allow invalid names ... > -- if ($name !~ /^\D\w*$/) { > -+ if ($name !~ /^[_[:alpha:]]\w*$/) { > - $self->lint_warn("config: error: rule '$name' has invalid characters ". > - "(not Alphanumeric + Underscore + starting with a non-digit)\n", > $name); > - return; > - } > - > -- # Also set a hard limit for ALL rules (rule names longer than 242 > -+ # Also set a hard limit for ALL rules (rule names longer than 40 > - # characters throw warnings). Check this separately from the above > - # pattern to avoid vague error messages. > -- if (length $name > 200) { > -- $self->lint_warn("config: error: rule '$name' is way too long ". > -+ if (length $name > 100) { > -+ $self->lint_warn("config: error: rule '$name' is too long ". > - "(recommended maximum length is 22 characters)\n", $name); > - return; > - } > - > - # Warn about, but use, long rule names during --lint > - if ($conf->{lint_rules}) { > -- if (length($name) > 50 && $name !~ /^__/ && $name !~ /^T_/) { > -- $self->lint_warn("config: warning: rule name '$name' is over 50 chars > ". > -+ if (length($name) > 40 && $name !~ /^__/ && $name !~ /^T_/) { > -+ $self->lint_warn("config: warning: rule name '$name' is over 40 chars > ". > - "(recommended maximum length is 22 characters)\n", $name); > - } > - } > -@@ -1286,12 +1291,18 @@ sub add_regression_test { > - sub is_meta_valid { > - my ($self, $name, $rule) = @_; > - > -+ # $meta is a degenerate translation of the rule, replacing all variables > (i.e. rule names) with 0. > - my $meta = ''; > - $rule = untaint_var($rule); # must be careful below > -+ # Bug #7557 code injection > -+ if ( $rule =~ /\S(::|->)\S/ ) { > -+ warn("is_meta_valid: Bogus rule $name: $rule") ; > -+ return 0; > -+ } > - > - # Lex the rule into tokens using a rather simple RE method ... > - my $lexer = ARITH_EXPRESSION_LEXER; > -- my @tokens = ($rule =~ m/$lexer/g); > -+ my @tokens = ($rule =~ m/$lexer/og); > - if (length($name) == 1) { > - for (@tokens) { > - print "$name $_\n " or die "Error writing token: $!"; > -@@ -1299,16 +1310,20 @@ sub is_meta_valid { > - } > - # Go through each token in the meta rule > - foreach my $token (@tokens) { > -- # Numbers can't be rule names > -- if ($token !~ /^[A-Za-z_][A-Za-z0-9_]*\z/s) { > -+ # If the token is a syntactically legal rule name, make it zero > -+ if ($token =~ /^[_[:alpha:]]\w+\z/s) { > -+ $meta .= "0 "; > -+ } > -+ # if it is a number or a string of 1 or 2 punctuation characters (i.e. > operators) tack it onto the degenerate rule > -+ elsif ( $token =~ /^(\d+|[[:punct:]]{1,2})\z/s ) { > - $meta .= "$token "; > - } > -- # Zero will probably cause more errors > -+ # WTF is it? Just warn, for now. Bug #7557 > - else { > -- $meta .= "0 "; > -+ $self->lint_warn("config: Strange rule token: $token", $name); > -+ $meta .= "$token "; > - } > - } > -- > - my $evalstr = 'my $x = ' . $meta . '; 1;'; > - if (eval $evalstr) { > - return 1; > Index: patches/patch-lib_Mail_SpamAssassin_Conf_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Conf_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Conf_pm > --- patches/patch-lib_Mail_SpamAssassin_Conf_pm 13 Mar 2018 07:51:59 > -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,43 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Conf_pm,v 1.1 2018/03/13 07:51:59 > giovanni Exp $ > - > -Index: lib/Mail/SpamAssassin/Conf.pm > ---- lib/Mail/SpamAssassin/Conf.pm.orig > -+++ lib/Mail/SpamAssassin/Conf.pm > -@@ -2836,8 +2836,8 @@ C<header SYMBOLIC_TEST_NAME header =~ /\S/> rule as de > - =item header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments]) > - > - Define a header eval test. C<name_of_eval_method> is the name of > --a method on the C<Mail::SpamAssassin::EvalTests> object. C<arguments> > --are optional arguments to the function call. > -+a method registered by a C<Mail::SpamAssassin::Plugin> object. > -+C<arguments> are optional arguments to the function call. > - > - =item header SYMBOLIC_TEST_NAME eval:check_rbl('set', 'zone' [, 'sub-test']) > - > -@@ -2950,7 +2950,10 @@ name. > - local ($1,$2); > - if ($value =~ /^(\S+)\s+(?:rbl)?eval:(.*)$/) { > - my ($rulename, $fn) = ($1, $2); > -- > -+ dbg("config: header eval rule name is $rulename function is $fn"); > -+ if ($fn !~ /^\w+(\(.*\))?$/) { > -+ return $INVALID_VALUE; > -+ } > - if ($fn =~ /^check_(?:rbl|dns)/) { > - $self->{parser}->add_test ($rulename, $fn, $TYPE_RBL_EVALS); > - } > -@@ -3008,7 +3011,13 @@ Define a body eval test. See above. > - my ($self, $key, $value, $line) = @_; > - local ($1,$2); > - if ($value =~ /^(\S+)\s+eval:(.*)$/) { > -- $self->{parser}->add_test ($1, $2, $TYPE_BODY_EVALS); > -+ my ($rulename, $fn) = ($1, $2); > -+ dbg("config: body eval rule name is $rulename function is $fn"); > -+ > -+ if ($fn !~ /^\w+(\(.*\))?$/) { > -+ return $INVALID_VALUE; > -+ } > -+ $self->{parser}->add_test ($rulename, $fn, $TYPE_BODY_EVALS); > - } > - else { > - my @values = split(/\s+/, $value, 2); > Index: patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm > diff -N patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm > --- patches/patch-lib_Mail_SpamAssassin_DnsResolver_pm 4 Mar 2016 > 00:05:35 -0000 1.4 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,82 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_DnsResolver_pm,v 1.4 2016/03/04 > 00:05:35 sthen Exp $ > ---- lib/Mail/SpamAssassin/DnsResolver.pm.orig Tue Apr 28 20:56:49 2015 > -+++ lib/Mail/SpamAssassin/DnsResolver.pm Thu Mar 3 23:59:55 2016 > -@@ -592,6 +592,9 @@ sub new_dns_packet { > - }; > - > - if ($packet) { > -+ # RD flag needs to be set explicitly since Net::DNS 1.01, Bug 7223 > -+ $packet->header->rd(1); > -+ > - # my $udp_payload_size = $self->{res}->udppacketsize; > - my $udp_payload_size = $self->{conf}->{dns_options}->{edns}; > - if ($udp_payload_size && $udp_payload_size > 512) { > -@@ -722,6 +725,37 @@ sub bgsend { > - > - ########################################################################### > - > -+=item $id = $res->bgread() > -+ > -+Similar to C<Net::DNS::Resolver::bgread>. Reads a DNS packet from > -+a supplied socket, decodes it, and returns a Net::DNS::Packet object > -+if successful. Dies on error. > -+ > -+=cut > -+ > -+sub bgread() { > -+ my ($self) = @_; > -+ my $sock = $self->{sock}; > -+ my $packetsize = $self->{res}->udppacketsize; > -+ $packetsize = 512 if $packetsize < 512; # just in case > -+ my $data = ''; > -+ my $peeraddr = $sock->recv($data, $packetsize+256); # with some size > margin for troubleshooting > -+ defined $peeraddr or die "bgread: recv() failed: $!"; > -+ my $peerhost = $sock->peerhost; > -+ $data ne '' or die "bgread: received empty packet from $peerhost"; > -+ dbg("dns: bgread: received %d bytes from %s", length($data), $peerhost); > -+ my($answerpkt, $decoded_length) = Net::DNS::Packet->new(\$data); > -+ $answerpkt or die "bgread: decoding DNS packet failed: $@"; > -+ $answerpkt->answerfrom($peerhost); > -+ if ($decoded_length ne length($data)) { > -+ warn sprintf("bgread: received a %d bytes packet from %s, decoded %d > bytes\n", > -+ length($data), $peerhost, $decoded_length); > -+ } > -+ return $answerpkt; > -+} > -+ > -+########################################################################### > -+ > - =item $nfound = $res->poll_responses() > - > - See if there are any C<bgsend> reply packets ready, and return > -@@ -769,13 +803,25 @@ sub poll_responses { > - $timeout = 0; # next time around collect whatever is available, then > exit > - last if $nfound == 0; > - > -- my $packet = $self->{res}->bgread($self->{sock}); > -+ my $packet; > -+ eval { > -+ $packet = $self->bgread(); > -+ } or do { > -+ undef $packet; > -+ my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; > -+ # resignal if alarm went off > -+ die $eval_stat if $eval_stat =~ /__alarm__ignore__\(.*\)/s; > -+ info("dns: bad dns reply: %s", $eval_stat); > -+ }; > - > -+# Bug 7265, use our own bgread() > -+# my $packet = $self->{res}->bgread($self->{sock}); > -+ > - if (!$packet) { > -- my $dns_err = $self->{res}->errorstring; > -- # resignal if alarm went off > -- die "dns (3) $dns_err\n" if $dns_err =~ /__alarm__ignore__\(.*\)/s; > -- info("dns: bad dns reply: $dns_err"); > -+ # error already reported above > -+# my $dns_err = $self->{res}->errorstring; > -+# die "dns (3) $dns_err\n" if $dns_err =~ /__alarm__ignore__\(.*\)/s; > -+# info("dns: bad dns reply: $dns_err"); > - } else { > - my $header = $packet->header; > - if (!$header) { > Index: patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm > --- patches/patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm 4 Mar > 2016 00:05:35 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,25 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Message_Metadata_Received_pm,v 1.1 > 2016/03/04 00:05:35 sthen Exp $ > ---- lib/Mail/SpamAssassin/Message/Metadata/Received.pm.orig Tue Apr 28 > 20:56:48 2015 > -+++ lib/Mail/SpamAssassin/Message/Metadata/Received.pm Thu Mar 3 > 23:59:55 2016 > -@@ -434,7 +434,8 @@ sub parse_received_line { > - $auth = 'Postfix'; > - } > - # Communigate Pro - Bug 6495 adds HTTP as possible transmission method > -- elsif (/CommuniGate Pro (HTTP|SMTP)/ && / \(account /) { > -+ # Bug 7277: XIMSS used by Pronto and other custom apps, IMAP > supports XMIT extension > -+ elsif (/CommuniGate Pro (HTTP|SMTP|XIMSS|IMAP)/ && / \(account /) { > - $auth = 'Communigate'; > - } > - # Microsoft Exchange (complete with syntax error) > -@@ -714,6 +715,11 @@ sub parse_received_line { > - # Received: from sc8-sf-sshgate.sourceforge.net (HELO > sc8-sf-netmisc.sourceforge.net) (66.35.250.220) by la.mx.develooper.com > (qpsmtpd/0.27-dev) with ESMTP; Fri, 02 Jan 2004 14:44:41 -0800 > - # Received: from mx10.topofferz.net (HELO ) (69.6.60.10) by > blazing.arsecandle.org with SMTP; 3 Mar 2004 20:34:38 -0000 > - if (/^(\S+) \((?:HELO|EHLO) (\S*)\) \((${IP_ADDRESS})\) by (\S+) > \(qpsmtpd\/\S+\) with (?:ESMTP|SMTP)/) { > -+ $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough; > -+ } > -+ > -+ # Received: from mail-backend.DDDD.com (LHLO mail-backend.DDDD.com) > (10.2.2.20) by mail-backend.DDDD.com with LMTP; Thu, 18 Jun 2015 16:50:56 > -0700 (PDT) > -+ if (/^(\S+) \(LHLO (\S*)\) \((${IP_ADDRESS})\) by (\S+) with LMTP/) { > - $rdns = $1; $helo = $2; $ip = $3; $by = $4; goto enough; > - } > - > Index: patches/patch-lib_Mail_SpamAssassin_Message_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Message_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Message_pm > --- patches/patch-lib_Mail_SpamAssassin_Message_pm 31 Oct 2017 07:41:51 > -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,27 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Message_pm,v 1.2 2017/10/31 07:41:51 > giovanni Exp $ > - > -# bug 7447: Delete parse_queue in Message::finish() to prevent memory leak. > - > -Index: lib/Mail/SpamAssassin/Message.pm > ---- lib/Mail/SpamAssassin/Message.pm.orig > -+++ lib/Mail/SpamAssassin/Message.pm > -@@ -628,6 +628,9 @@ sub finish { > - delete $self->{'line_ending'}; > - delete $self->{'missing_head_body_separator'}; > - > -+ # Remove the queue variable, in case the body has not been parsed > -+ delete $self->{'parse_queue'}; > -+ > - my @toclean = ( $self ); > - > - # Go ahead and clean up all of the Message::Node parts > -@@ -1045,6 +1048,9 @@ sub _parse_normal { > - } > - elsif ($ct[3]) { > - $msg->{'name'} = $ct[3]; > -+ } > -+ if ($msg->{'name'}) { > -+ $msg->{'name'} = Encode::decode("MIME-Header", $msg->{'name'}); > - } > - > - $msg->{'boundary'} = $boundary; > Index: patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm > --- patches/patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm 4 Mar 2016 > 00:05:35 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,87 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_DKIM_pm,v 1.1 2016/03/04 > 00:05:35 sthen Exp $ > ---- lib/Mail/SpamAssassin/Plugin/DKIM.pm.orig Tue Apr 28 20:56:47 2015 > -+++ lib/Mail/SpamAssassin/Plugin/DKIM.pm Thu Mar 3 23:59:55 2016 > -@@ -178,14 +178,19 @@ sub set_config { > - > - Works similarly to whitelist_from, except that in addition to matching > - an author address (From) to the pattern in the first parameter, the message > --must also carry a Domain Keys Identified Mail (DKIM) signature made by a > --signing domain (SDID, i.e. the d= tag) that is acceptable to us. > -+must also carry a valid Domain Keys Identified Mail (DKIM) signature made by > -+a signing domain (SDID, i.e. the d= tag) that is acceptable to us. > - > - Only one whitelist entry is allowed per line, as in C<whitelist_from_rcvd>. > - Multiple C<whitelist_from_dkim> lines are allowed. File-glob style > characters > - are allowed for the From address (the first parameter), just like with > --C<whitelist_from_rcvd>. The second parameter does not accept wildcards. > -+C<whitelist_from_rcvd>. > - > -+The second parameter (the signing-domain) does not accept full file-glob > style > -+wildcards, although a simple '*.' (or just a '.') prefix to a domain name > -+is recognized and implies any subdomain of the specified domain (but not > -+the domain itself). > -+ > - If no signing-domain parameter is specified, the only acceptable signature > - will be an Author Domain Signature (sometimes called first-party signature) > - which is a signature where the signing domain (SDID) of a signature matches > -@@ -205,7 +210,8 @@ Examples of whitelisting based on third-party signatur > - whitelist_from_dkim j...@example.net example.org > - whitelist_from_dkim r...@info.example.net example.net > - whitelist_from_dkim *@info.example.net example.net > -- whitelist_from_dkim *@* remailer.example.com > -+ whitelist_from_dkim *@* mail7.remailer.example.com > -+ whitelist_from_dkim *@* *.remailer.example.com > - > - =item def_whitelist_from_dkim aut...@example.com [signing-domain] > - > -@@ -376,7 +382,8 @@ some valid signature on a message has no reputational > - associated with a particular domain), regardless of its key size - anyone > can > - prepend its own signature on a copy of some third party mail and re-send it, > - which makes it no more trustworthy than without such signature. This is also > --a reason for a rule DKIM_VALID to have a near-zero score. > -+a reason for a rule DKIM_VALID to have a near-zero score, i.e. a rule hit > -+is only informational. > - > - =cut > - > -@@ -786,7 +793,8 @@ sub _check_dkim_signature { > - # Only do so if EDNS0 provides a reasonably-sized UDP payload size, > - # as our interface does not provide a DNS fallback to TCP, unlike > - # the Net::DNS::Resolver::send which does provide it. > -- my $res = $self->{main}->{resolver}->get_resolver; > -+ my $res = $self->{main}->{resolver}; > -+ dbg("dkim: providing our own resolver: %s", ref $res); > - Mail::DKIM::DNS::resolver($res); > - } > - } > -@@ -892,13 +900,13 @@ sub _check_dkim_signature { > - } > - } > - if (would_log("dbg","dkim")) { > -- dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s", > -+ dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s, %s", > - $info, > - $signature->isa('Mail::DKIM::DkSignature') ? 'DK' : 'DKIM', > - map(!defined $_ ? '(undef)' : $_, > - $signature->identity, $d, $signature->selector, > - $signature->algorithm, scalar($signature->canonicalization), > -- $key_size ? "key_bits=$key_size" : (), > -+ $key_size ? "key_bits=$key_size" : "unknown key size", > - ($sig_result_supported ? $signature : $verifier)->result ), > - defined $d && $pms->{dkim_author_domains}->{$d} > - ? 'matches author domain' > -@@ -1257,8 +1265,12 @@ sub _wlcheck_list { > - # identity (AUID). Nevertheless, be prepared to accept the full > e-mail > - # address there for compatibility, and just ignore its local-part. > - > -- $acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/; > -- $matches = 1 if $sdid eq lc $acceptable_sdid; > -+ $acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/s; > -+ if ($acceptable_sdid =~ s/^\*?\.//s) { > -+ $matches = 1 if $sdid =~ /\.\Q$acceptable_sdid\E\z/si; > -+ } else { > -+ $matches = 1 if $sdid eq lc $acceptable_sdid; > -+ } > - } > - if ($matches) { > - if (would_log("dbg","dkim")) { > Index: patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm > --- patches/patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm 8 Mar 2018 > 07:30:00 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,99 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_PDFInfo_pm,v 1.1 2018/03/08 > 07:30:00 giovanni Exp $ > - > -Index: lib/Mail/SpamAssassin/Plugin/PDFInfo.pm > ---- lib/Mail/SpamAssassin/Plugin/PDFInfo.pm.orig > -+++ lib/Mail/SpamAssassin/Plugin/PDFInfo.pm > -@@ -31,7 +31,7 @@ This plugin helps detected spam using attached PDF fil > - > - =item See "Usage:" below - more documentation see 20_pdfinfo.cf > - > -- Original info kept for history. > -+ Original info kept for history. For later changes see SVN repo > - ------------------------------------------------------- > - PDFInfo Plugin for SpamAssassin > - Version: 0.8 > -@@ -40,7 +40,6 @@ This plugin helps detected spam using attached PDF fil > - Modified: 2007-08-10 > - By: Dallas Engelken > - > -- > - Changes: > - 0.8 - added .fdf detection (thanks John Lundin) [axb] > - 0.7 - fixed empty body/pdf count buglet(thanks Jeremy) [axb] > -@@ -76,7 +75,6 @@ This plugin helps detected spam using attached PDF fil > - - removed all support for png, gif, and jpg from the code. > - - prepended pdf_ to all function names to avoid conflicts with > ImageInfo in SA 3.2. > - > -- > - Usage: > - > - pdf_count() > -@@ -144,14 +142,14 @@ package Mail::SpamAssassin::Plugin::PDFInfo; > - > - use Mail::SpamAssassin::Plugin; > - use Mail::SpamAssassin::Logger; > -+use Mail::SpamAssassin::Util; > - use strict; > - use warnings; > --use bytes; > -+# use bytes; > - use Digest::MD5 qw(md5_hex); > - use MIME::QuotedPrint; > - > --use vars qw(@ISA); > --@ISA = qw(Mail::SpamAssassin::Plugin); > -+our @ISA = qw(Mail::SpamAssassin::Plugin); > - > - # constructor: register the eval rule > - sub new { > -@@ -413,9 +411,9 @@ sub _find_pdf_mime_parts { > - > - foreach my $p (@parts) { > - my $type = $p->{'type'} =~ m@/([\w\-]+)$@; > -- my $name = $p->{'name'}; > -+ my $name = $p->{'name'} || ''; > - > -- my $cte = lc $p->get_header('content-transfer-encoding') || ''; > -+ my $cte = lc( $p->get_header('content-transfer-encoding') || '' ); > - > - dbg("pdfinfo: found part, type=".($type ? $type : '')." file=".($name ? > $name : '')." cte=".($cte ? $cte : '').""); > - > -@@ -441,7 +439,6 @@ sub _find_pdf_mime_parts { > - > - } > - > -- > - # ---------------------------------------- > - > - sub pdf_named { > -@@ -476,8 +473,12 @@ sub pdf_name_regex { > - > - my $hit = 0; > - foreach my $name (keys %{$pms->{'pdfinfo'}->{"names_pdf"}}) { > -- my $eval = 'if (q{'.$name.'} =~ '.$re.') { $hit = 1; } '; > -- eval $eval; > -+ eval { > -+ my $regex = Mail::SpamAssassin::Util::make_qr($re); > -+ if ( $name =~ m/$regex/ ) { > -+ $hit = 1; > -+ } > -+ }; > - dbg("pdfinfo: error in regex $re - $@") if $@; > - if ($hit) { > - dbg("pdfinfo: pdf_name_regex hit on $name"); > -@@ -722,9 +723,12 @@ sub pdf_match_details { > - return unless $check_value; > - > - my $hit = 0; > -- $check_value =~ s/[\{\}\\]//g; > -- my $eval = 'if (q{'.$check_value.'} =~ '.$regex.') { $hit = 1; }'; > -- eval $eval; > -+ eval { > -+ my $re = Mail::SpamAssassin::Util::make_qr($regex); > -+ if ( $check_value =~ m/$re/ ) { > -+ $hit = 1; > -+ } > -+ }; > - dbg("pdfinfo: error in regex $regex - $@") if $@; > - if ($hit) { > - dbg("pdfinfo: pdf_match_details $detail $regex matches $check_value"); > Index: patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm > --- patches/patch-lib_Mail_SpamAssassin_Plugin_SPF_pm 4 Mar 2016 00:05:35 > -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,24 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_SPF_pm,v 1.1 2016/03/04 > 00:05:35 sthen Exp $ > ---- lib/Mail/SpamAssassin/Plugin/SPF.pm.orig Tue Apr 28 20:56:47 2015 > -+++ lib/Mail/SpamAssassin/Plugin/SPF.pm Thu Mar 3 23:59:55 2016 > -@@ -232,7 +232,7 @@ working downwards until results are successfully parse > - =item has_check_for_spf_errors > - > - Adds capability check for "if can()" for check_for_spf_permerror, > check_for_spf_temperror, check_for_spf_helo_permerror and > check_for_spf_helo_permerror > -- > -+ > - =cut > - > - sub has_check_for_spf_errors { 1 } > -@@ -506,9 +506,9 @@ sub _check_spf { > - $self->{spf_server} = Mail::SPF::Server->new( > - hostname => $scanner->get_tag('HOSTNAME'), > - dns_resolver => $self->{main}->{resolver}, > -- max_dns_interactive_terms => 15); > -+ max_dns_interactive_terms => 20); > - # Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is > -- # not enough for ebay.com, setting it to 15 > -+ # not enough for ebay.com, setting it to 15 NOTE: raising to 20 per > bug 7182 > - 1; > - } or do { > - $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; > Index: patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm > --- patches/patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm 4 Mar 2016 > 00:05:35 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,28 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_URIDNSBL_pm,v 1.1 2016/03/04 > 00:05:35 sthen Exp $ > ---- lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm.orig Tue Apr 28 20:56:47 2015 > -+++ lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm Thu Mar 3 23:59:55 2016 > -@@ -942,9 +942,8 @@ sub complete_ns_lookup { > - next unless (defined($str) && defined($dom)); > - dbg("uridnsbl: got($j) NS for $dom: $str"); > - > -- if ($str =~ /IN\s+NS\s+(\S+)/) { > -- my $nsmatch = lc $1; > -- $nsmatch =~ s/\.$//; > -+ if ($rr->type eq 'NS') { > -+ my $nsmatch = lc $rr->nsdname; # available since at least Net::DNS > 0.14 > - my $nsrhblstr = $nsmatch; > - my $fullnsrhblstr = $nsmatch; > - > -@@ -1025,9 +1024,9 @@ sub complete_a_lookup { > - } > - dbg("uridnsbl: complete_a_lookup got(%d) A for %s: %s", $j,$hname,$str); > - > -- local $1; > -- if ($str =~ /IN\s+A\s+(\S+)/) { > -- $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $1); > -+ if ($rr->type eq 'A') { > -+ my $ip_address = $rr->rdatastr; > -+ $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $ip_address); > - } > - } > - } > Index: patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm > --- patches/patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm 6 Feb 2018 > 07:58:03 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,34 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Plugin_URILocalBL_pm,v 1.1 2018/02/06 > 07:58:03 giovanni Exp $ > - > -Compatibility patches for perl 5.23+ > - > -Index: lib/Mail/SpamAssassin/Plugin/URILocalBL.pm > ---- lib/Mail/SpamAssassin/Plugin/URILocalBL.pm.orig > -+++ lib/Mail/SpamAssassin/Plugin/URILocalBL.pm > -@@ -350,7 +350,7 @@ sub check_uri_local_bl { > - # look for W3 links only > - next unless (defined $info->{types}->{a}); > - > -- while (my($host, $domain) = each $info->{hosts}) { > -+ while (my($host, $domain) = each %{$info->{hosts}}) { > - > - # skip if the domain name was matched > - if (exists $rule->{exclusions} && exists > $rule->{exclusions}->{$domain}) { > -@@ -374,7 +374,7 @@ sub check_uri_local_bl { > - } > - > - if (exists $rule->{countries}) { > -- dbg("check: uri_local_bl countries %s\n", join(' ', sort keys > $rule->{countries})); > -+ dbg("check: uri_local_bl countries %s\n", join(' ', sort keys > %{$rule->{countries}})); > - > - my $cc = $self->{geoip}->country_code_by_addr($ip); > - > -@@ -403,7 +403,7 @@ sub check_uri_local_bl { > - } > - > - if (exists $rule->{isps}) { > -- dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ . > '"'; } sort keys $rule->{isps})); > -+ dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ . > '"'; } sort keys %{$rule->{isps}})); > - > - my $isp = $self->{geoisp}->isp_by_name($ip); > - > Index: patches/patch-lib_Mail_SpamAssassin_Util_pm > =================================================================== > RCS file: patches/patch-lib_Mail_SpamAssassin_Util_pm > diff -N patches/patch-lib_Mail_SpamAssassin_Util_pm > --- patches/patch-lib_Mail_SpamAssassin_Util_pm 23 Feb 2018 17:07:35 > -0000 1.4 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,96 +0,0 @@ > -$OpenBSD: patch-lib_Mail_SpamAssassin_Util_pm,v 1.4 2018/02/23 17:07:35 > giovanni Exp $ > -Index: lib/Mail/SpamAssassin/Util.pm > ---- lib/Mail/SpamAssassin/Util.pm.orig > -+++ lib/Mail/SpamAssassin/Util.pm > -@@ -62,7 +62,8 @@ BEGIN { > - @EXPORT_OK = qw(&local_tz &base64_decode &untaint_var &untaint_file_path > - &exit_status_str &proc_status_ok &am_running_on_windows > - &reverse_ip_address &decode_dns_question_entry > -- &secure_tmpfile &secure_tmpdir &uri_list_canonicalize); > -+ &secure_tmpfile &secure_tmpdir &uri_list_canonicalize > -+ &get_user_groups); > - } > - > - use Mail::SpamAssassin; > -@@ -108,7 +109,7 @@ BEGIN { > - if ( !$displayed_path++ ) { > - dbg("util: current PATH is: > ".join($Config{'path_sep'},File::Spec->path())); > - } > -- foreach my $path (File::Spec->path()) { > -+ foreach my $path (File::Spec->path(), qw(${LOCALBASE}/bin > ${LOCALBASE}/sbin)) { > - my $fname = File::Spec->catfile ($path, $filename); > - if ( -f $fname ) { > - if (-x $fname) { > -@@ -988,6 +989,18 @@ sub parse_content_type { > - my($charset) = $ct =~ /\bcharset\s*=\s*["']?(.*?)["']?(?:;|$)/i; > - my($name) = $ct =~ /\b(?:file)?name\s*=\s*["']?(.*?)["']?(?:;|$)/i; > - > -+ # RFC 2231 section 3: Parameter Value Continuations > -+ # support continuations for name values > -+ # > -+ if (!$name && $ct =~ /\b(?:file)?name\*0\s*=/i) { > -+ > -+ my @name; > -+ $name[$1] = $2 > -+ while ($ct =~ > /\b(?:file)?name\*(\d+)\s*=\s*["']?(.*?)["']?(?:;|$)/ig); > -+ > -+ $name = join "", grep defined, @name; > -+ } > -+ > - # Get the actual MIME type out ... > - # Note: the header content may not be whitespace unfolded, so make sure > the > - # REs do /s when appropriate. > -@@ -1493,13 +1506,43 @@ sub receive_date { > - } > - > - ########################################################################### > -+sub get_user_groups { > -+ my $suid = shift; > -+ dbg("get_user_groups: uid is $suid\n"); > -+ my ( $user, $passwd, $uid, $gid, $quota, $comment, $gcos, $dir, $shell, > $expire ) = getpwuid($suid); > -+ my $rgids="$gid "; > -+ while ( my($name,$pw,$gid,$members) = getgrent() ) { > -+ if ( $members =~ m/\b$user\b/ ) { > -+ $rgids .= "$gid "; > -+ dbg("get_user_groups: added $gid ($name) to group list which is now: > $rgids\n"); > -+ } > -+ } > -+ endgrent; > -+ chop $rgids; > -+ return ($rgids); > -+} > - > -+ > -+ > - sub setuid_to_euid { > - return if (RUNNING_ON_WINDOWS); > - > - # remember the target uid, the first number is the important one > - my $touid = $>; > -- > -+ my $gids = get_user_groups($touid); > -+ my ( $pgid, $supgs ) = split (' ',$gids,2); > -+ defined $supgs or $supgs=$pgid; > -+ if ($( != $pgid) { > -+ # Gotta be root for any of this to work > -+ $> = 0 ; > -+ dbg("util: changing real primary gid from $( to $pgid and supplemental > groups to $supgs to match effective uid $touid"); > -+ POSIX::setgid($pgid); > -+ dbg("util: POSIX::setgid($pgid) set errno to $!"); > -+ $! = 0; > -+ $( = $pgid; > -+ $) = "$pgid $supgs"; > -+ dbg("util: assignment \$) = $pgid $supgs set errno to $!"); > -+ } > - if ($< != $touid) { > - dbg("util: changing real uid from $< to match effective uid $touid"); > - # bug 3586: kludges needed to work around platform dependent behavior > assigning to $< > -@@ -1574,7 +1617,7 @@ sub helper_app_pipe_open_unix { > - eval { > - # go setuid... > - setuid_to_euid(); > -- dbg("util: setuid: ruid=$< euid=$>"); > -+ info("util: setuid: ruid=$< euid=$> rgid=$( egid=$) "); > - > - # now set up the fds. due to some wierdness, we may have to ensure that > - # we *really* close the correct fd number, since some other code may > have > Index: patches/patch-spamc_libspamc_c > =================================================================== > RCS file: patches/patch-spamc_libspamc_c > diff -N patches/patch-spamc_libspamc_c > --- patches/patch-spamc_libspamc_c 23 May 2015 14:18:55 -0000 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,21 +0,0 @@ > -$OpenBSD: patch-spamc_libspamc_c,v 1.3 2015/05/23 14:18:55 bluhm Exp $ > ---- spamc/libspamc.c.orig Tue Apr 28 21:56:59 2015 > -+++ spamc/libspamc.c Wed May 20 19:53:07 2015 > -@@ -1216,7 +1216,7 @@ int message_filter(struct transport *tp, const char *u > - if (flags & SPAMC_TLSV1) { > - meth = TLSv1_client_method(); > - } else { > -- meth = SSLv3_client_method(); /* default */ > -+ meth = SSLv23_client_method(); /* default */ > - } > - SSL_load_error_strings(); > - ctx = SSL_CTX_new(meth); > -@@ -1604,7 +1604,7 @@ int message_tell(struct transport *tp, const char *use > - if (flags & SPAMC_USE_SSL) { > - #ifdef SPAMC_SSL > - SSLeay_add_ssl_algorithms(); > -- meth = SSLv3_client_method(); > -+ meth = SSLv23_client_method(); > - SSL_load_error_strings(); > - ctx = SSL_CTX_new(meth); > - #else > Index: patches/patch-spamd_spamd_raw > =================================================================== > RCS file: patches/patch-spamd_spamd_raw > diff -N patches/patch-spamd_spamd_raw > --- patches/patch-spamd_spamd_raw 23 Feb 2018 17:07:35 -0000 1.9 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,98 +0,0 @@ > -$OpenBSD: patch-spamd_spamd_raw,v 1.9 2018/02/23 17:07:35 giovanni Exp $ > -Index: spamd/spamd.raw > ---- spamd/spamd.raw.orig > -+++ spamd/spamd.raw > -@@ -246,7 +246,8 @@ use Mail::SpamAssassin::SubProcBackChannel; > - use Mail::SpamAssassin::SpamdForkScaling qw(:pfstates); > - use Mail::SpamAssassin::Logger qw(:DEFAULT log_message); > - use Mail::SpamAssassin::Util qw(untaint_var untaint_file_path > -- exit_status_str am_running_on_windows); > -+ exit_status_str am_running_on_windows > -+ get_user_groups); > - use Mail::SpamAssassin::Timeout; > - > - use Getopt::Long; > -@@ -1071,7 +1072,6 @@ sub server_sock_setup_inet { > - $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' > - && IO::Socket::IP->VERSION >= 0.09; > - %sockopt = (%sockopt, ( > -- SSL_version => $sslversion, > - SSL_verify_mode => 0x00, > - SSL_key_file => $opt{'server-key'}, > - SSL_cert_file => $opt{'server-cert'}, > -@@ -1092,7 +1092,8 @@ sub server_sock_setup_inet { > - if (!$server_inet) { > - $diag = sprintf("could not create %s socket on [%s]:%s: %s", > - $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, > -- $adr, $port, $!); > -+ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? > -+ "$!,$IO::Socket::SSL::SSL_ERROR" : $!); > - push(@diag_fail, $diag); > - } else { > - $diag = sprintf("created %s socket on [%s]:%s", > -@@ -1369,10 +1370,20 @@ sub spawn { > - # bug 5518: assignments to $) and $( don't always work on all > platforms > - # bug 3900: assignments to $> and $< problems with BSD perl bug > - # use the POSIX functions to hide the platform specific workarounds > -+ dbg("spamd: Privilege de-escalation from user $< and groups $(\n"); > -+ $! = 0; > - POSIX::setgid($ugid); # set effective and real gid > -+ dbg("spamd: setgid ERRNO is $!\n"); > -+ $( = $ugid; > -+ $) = "$ugid ".(get_user_groups($uuid)); # set effective and real > gid/grouplist another way because we lack initgroups in Perl > -+ dbg("spamd: group assignment ERRNO is $!\n"); > - POSIX::setuid($uuid); # set effective and real UID > -+ dbg("spamd: setuid ERRNO is $!\n"); > - $< = $uuid; $> = $uuid; # bug 5574 > -+ dbg("spamd: uid assignment ERRNO is $!\n"); > -+ dbg("spamd: real user is $< \neff user is $> \nreal groups are $( > \neff groups are $) \n"); > - > -+ > - # keep the sanity check to catch problems like bug 3900 just in case > - if ( $> != $uuid and $> != ( $uuid - 2**32 ) ) { > - die "spamd: setuid to uid $uuid failed (> = $>, < = $<)\n"; > -@@ -1521,7 +1532,7 @@ sub accept_from_any_server_socket { > - } # end multiple sockets case > - > - if ($selected_socket_info) { > -- my $socket = $selected_socket_info->{socket}; > -+ $socket = $selected_socket_info->{socket}; > - $socket or die "no socket???, impossible"; > - dbg("spamd: accept() on fd %d", $selected_socket_info->{fd}); > - $client = $socket->accept; > -@@ -1726,7 +1737,7 @@ sub handle_setuid_to_user { > - my ($name, $pwd, $uid, $gid, $quota, $comment, $gcos, $dir, $etc) = > - getpwnam('nobody'); > - > -- $) = "$gid $gid"; # eGID > -+ $) = (get_user_groups($uid)); # eGID > - $> = $uid; # eUID > - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) { > - die("spamd: setuid to nobody failed"); > -@@ -2488,7 +2499,7 @@ sub handle_user_setuid_basic { > - } > - > - if ($setuid_to_user) { > -- $) = "$gid $gid"; # change eGID > -+ $) = (get_user_groups($uid)); # change eGID > - $> = $uid; # change eUID > - if ( !defined($uid) || ( $> != $uid and $> != ( $uid - 2**32 ) ) ) { > - # make it fatal to avoid security breaches > -@@ -2710,7 +2721,7 @@ sub handle_user_setuid_with_sql { > - } > - > - if ($setuid_to_user) { > -- $) = "$gid $gid"; # change eGID > -+ $) = (get_user_groups($uid)); # change eGID > - $> = $uid; # change eUID > - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) { > - # make it fatal to avoid security breaches > -@@ -2755,7 +2766,7 @@ sub handle_user_setuid_with_ldap { > - } > - > - if ($setuid_to_user) { > -- $) = "$gid $gid"; # change eGID > -+ $) = (get_user_groups($uid)); # change eGID > - $> = $uid; # change eUID > - if (!defined($uid) || ($> != $uid and $> != ($uid - 2**32))) { > - # make it fatal to avoid security breaches > Index: patches/patch-t_SATest_pm > =================================================================== > RCS file: patches/patch-t_SATest_pm > diff -N patches/patch-t_SATest_pm > --- patches/patch-t_SATest_pm 7 Nov 2017 07:39:07 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,14 +0,0 @@ > -$OpenBSD: patch-t_SATest_pm,v 1.1 2017/11/07 07:39:07 giovanni Exp $ > - > -Index: t/SATest.pm > ---- t/SATest.pm.orig > -+++ t/SATest.pm > -@@ -1027,7 +1027,7 @@ sub can_use_net_dns_safely { > - # (which is used by Net::DNS) > - > - return 1 if ($< != 0); > -- return 1 if ($^O =~ /^(linux|mswin|dos|os2)/oi); > -+ return 1 if ($^O =~ /^(linux|mswin|dos|os2|openbsd)/oi); > - > - my $has_unsafe_hostname = > - eval { require Sys::Hostname::Long && Sys::Hostname::Long->VERSION < > 1.4 }; > Index: patches/patch-t_sa_compile_t > =================================================================== > RCS file: > /var/cvs/ports/mail/p5-Mail-SpamAssassin/patches/patch-t_sa_compile_t,v > retrieving revision 1.3 > diff -u -p -r1.3 patch-t_sa_compile_t > --- patches/patch-t_sa_compile_t 23 May 2015 14:18:55 -0000 1.3 > +++ patches/patch-t_sa_compile_t 25 Aug 2018 17:29:40 -0000 > @@ -1,21 +1,14 @@ > $OpenBSD: patch-t_sa_compile_t,v 1.3 2015/05/23 14:18:55 bluhm Exp $ > ---- t/sa_compile.t.orig Tue Apr 28 21:56:58 2015 > -+++ t/sa_compile.t Tue May 12 22:36:36 2015 > -@@ -8,8 +8,7 @@ use Config; > +Index: t/sa_compile.t > +--- t/sa_compile.t.orig > ++++ t/sa_compile.t > +@@ -12,8 +12,7 @@ use Config; > use File::Basename; > use File::Path qw/mkpath/; > > -my $temp_binpath = $Config{sitebinexp}; > --$temp_binpath =~ s/^\Q$Config{prefix}\E//; > +-$temp_binpath =~ s|^\Q$Config{siteprefixexp}\E/||; > +my $temp_binpath = "bin"; > > - # called from BEGIN > - sub re2c_version_new_enough { > -@@ -65,6 +64,7 @@ sub new_instdir { > - $instdir = $instbase.".".(shift); > - print "\nsetting new instdir: $instdir\n"; > - $INST_FROM_SCRATCH and system("rm -rf $instdir; mkdir $instdir"); > -+ system("mkdir -p $instdir/foo/etc/mail/spamassassin"); > - } > - > - sub run_makefile_pl { > + use Test::More; > + plan skip_all => "Long running tests disabled" unless > conf_bool('run_long_tests'); > Index: patches/patch-t_spf_t > =================================================================== > RCS file: patches/patch-t_spf_t > diff -N patches/patch-t_spf_t > --- patches/patch-t_spf_t 7 Nov 2017 07:39:07 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,22 +0,0 @@ > -$OpenBSD: patch-t_spf_t,v 1.1 2017/11/07 07:39:07 giovanni Exp $ > - > -Index: t/spf.t > ---- t/spf.t.orig > -+++ t/spf.t > -@@ -12,6 +12,7 @@ use constant HAS_MAILSPF => eval { require Mail::SPF; > - # on non-Linux unices as root, due to a bug in Sys::Hostname::Long > - # (it is used by Mail::SPF::Query, which is now obsoleted by Mail::SPF) > - use constant IS_LINUX => $^O eq 'linux'; > -+use constant IS_OPENBSD => $^O eq 'openbsd'; > - use constant IS_WINDOWS => ($^O =~ /^(mswin|dos|os2)/oi); > - use constant AM_ROOT => $< == 0; > - > -@@ -20,7 +21,7 @@ use constant HAS_UNSAFE_HOSTNAME => # Bug 3806 - modu > - > - use constant DO_RUN => > - TEST_ENABLED && (HAS_SPFQUERY || HAS_MAILSPF) && > -- (!HAS_UNSAFE_HOSTNAME || !AM_ROOT || IS_LINUX || IS_WINDOWS); > -+ (!HAS_UNSAFE_HOSTNAME || !AM_ROOT || IS_LINUX || IS_WINDOWS || > IS_OPENBSD); > - > - BEGIN { > - > Index: pkg/PLIST > =================================================================== > RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/pkg/PLIST,v > retrieving revision 1.36 > diff -u -p -r1.36 PLIST > --- pkg/PLIST 4 Sep 2018 12:46:15 -0000 1.36 > +++ pkg/PLIST 10 Sep 2018 07:35:40 -0000 > @@ -3,6 +3,12 @@ > @newgroup _spamdaemon:506 > @newuser > _spamdaemon:506:506:daemon:SpamAssassin:${LOCALSTATEDIR}:/sbin/nologin > @extraunexec rm -rf ${CONFDIR}/sa-update-keys > +@rcscript ${RCDIR}/spamassassin > +@owner _spamdaemon > +@group _spamdaemon > +@sample ${LOCALSTATEDIR}/ > +@owner > +@group > bin/sa-awl > bin/sa-check_spamd > bin/sa-compile > @@ -79,8 +85,10 @@ ${P5SITE}/Mail/SpamAssassin/Plugin/DCC.p > ${P5SITE}/Mail/SpamAssassin/Plugin/DKIM.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/DNSEval.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/FreeMail.pm > +${P5SITE}/Mail/SpamAssassin/Plugin/FromNameSpoof.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/HTMLEval.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/HTTPSMismatch.pm > +${P5SITE}/Mail/SpamAssassin/Plugin/HashBL.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/Hashcash.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/HeaderEval.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/ImageInfo.pm > @@ -89,11 +97,13 @@ ${P5SITE}/Mail/SpamAssassin/Plugin/MIMEH > ${P5SITE}/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/PDFInfo.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/PhishTag.pm > +${P5SITE}/Mail/SpamAssassin/Plugin/Phishing.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/Pyzor.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/Razor2.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/RelayCountry.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/RelayEval.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/ReplaceTags.pm > +${P5SITE}/Mail/SpamAssassin/Plugin/ResourceLimits.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/Reuse.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/Rule2XSBody.pm > ${P5SITE}/Mail/SpamAssassin/Plugin/SPF.pm > @@ -118,9 +128,9 @@ ${P5SITE}/Mail/SpamAssassin/SubProcBackC > ${P5SITE}/Mail/SpamAssassin/Timeout.pm > ${P5SITE}/Mail/SpamAssassin/Util/ > ${P5SITE}/Mail/SpamAssassin/Util.pm > +@comment ${P5SITE}/Mail/SpamAssassin/Util.pm.beforesubst > ${P5SITE}/Mail/SpamAssassin/Util/DependencyInfo.pm > ${P5SITE}/Mail/SpamAssassin/Util/Progress.pm > -${P5SITE}/Mail/SpamAssassin/Util/RegistrarBoundaries.pm > ${P5SITE}/Mail/SpamAssassin/Util/ScopedTimer.pm > ${P5SITE}/Mail/SpamAssassin/Util/TieOneStringHash.pm > ${P5SITE}/Mail/SpamAssassin/Util/TinyRedis.pm > @@ -174,16 +184,20 @@ ${P5SITE}/spamassassin-run.pod > @man man/man3p/Mail::SpamAssassin::Plugin::DCC.3p > @man man/man3p/Mail::SpamAssassin::Plugin::DKIM.3p > @man man/man3p/Mail::SpamAssassin::Plugin::DNSEval.3p > +@man man/man3p/Mail::SpamAssassin::Plugin::FromNameSpoof.3p > +@man man/man3p/Mail::SpamAssassin::Plugin::HashBL.3p > @man man/man3p/Mail::SpamAssassin::Plugin::Hashcash.3p > @man man/man3p/Mail::SpamAssassin::Plugin::MIMEEval.3p > @man man/man3p/Mail::SpamAssassin::Plugin::MIMEHeader.3p > @man man/man3p/Mail::SpamAssassin::Plugin::OneLineBodyRuleType.3p > @man man/man3p/Mail::SpamAssassin::Plugin::PDFInfo.3p > @man man/man3p/Mail::SpamAssassin::Plugin::PhishTag.3p > +@man man/man3p/Mail::SpamAssassin::Plugin::Phishing.3p > @man man/man3p/Mail::SpamAssassin::Plugin::Pyzor.3p > @man man/man3p/Mail::SpamAssassin::Plugin::Razor2.3p > @man man/man3p/Mail::SpamAssassin::Plugin::RelayCountry.3p > @man man/man3p/Mail::SpamAssassin::Plugin::ReplaceTags.3p > +@man man/man3p/Mail::SpamAssassin::Plugin::ResourceLimits.3p > @man man/man3p/Mail::SpamAssassin::Plugin::Reuse.3p > @man man/man3p/Mail::SpamAssassin::Plugin::Rule2XSBody.3p > @man man/man3p/Mail::SpamAssassin::Plugin::SPF.3p > @@ -205,7 +219,6 @@ ${P5SITE}/spamassassin-run.pod > @man man/man3p/Mail::SpamAssassin::Util.3p > @man man/man3p/Mail::SpamAssassin::Util::DependencyInfo.3p > @man man/man3p/Mail::SpamAssassin::Util::Progress.3p > -@man man/man3p/Mail::SpamAssassin::Util::RegistrarBoundaries.3p > @man man/man3p/spamassassin-run.3p > share/doc/SpamAssassin/ > share/doc/SpamAssassin/CREDITS > @@ -242,6 +255,7 @@ share/examples/SpamAssassin/init.pre > @sample ${CONFDIR}/init.pre > share/examples/SpamAssassin/local.cf > @sample ${CONFDIR}/local.cf > +@comment share/examples/SpamAssassin/svn_only.pre > share/examples/SpamAssassin/v310.pre > @sample ${CONFDIR}/v310.pre > share/examples/SpamAssassin/v312.pre > @@ -254,6 +268,8 @@ share/examples/SpamAssassin/v340.pre > @sample ${CONFDIR}/v340.pre > share/examples/SpamAssassin/v341.pre > @sample ${CONFDIR}/v341.pre > +share/examples/SpamAssassin/v342.pre > +@sample ${CONFDIR}/v342.pre > share/spamassassin/ > share/spamassassin/10_default_prefs.cf > share/spamassassin/10_hasbase.cf > @@ -303,7 +319,9 @@ share/spamassassin/50_scores.cf > share/spamassassin/60_adsp_override_dkim.cf > share/spamassassin/60_awl.cf > share/spamassassin/60_shortcircuit.cf > +share/spamassassin/60_txrep.cf > share/spamassassin/60_whitelist.cf > +share/spamassassin/60_whitelist_auth.cf > share/spamassassin/60_whitelist_dkim.cf > share/spamassassin/60_whitelist_spf.cf > share/spamassassin/60_whitelist_subject.cf > @@ -319,7 +337,3 @@ share/spamassassin/local.cf > share/spamassassin/regression_tests.cf > share/spamassassin/sa-update-pubkey.txt > share/spamassassin/user_prefs.template > -@rcscript ${RCDIR}/spamassassin > -@owner _spamdaemon > -@group _spamdaemon > -@sample ${LOCALSTATEDIR}/ > Index: pkg/spamassassin.rc > =================================================================== > RCS file: /var/cvs/ports/mail/p5-Mail-SpamAssassin/pkg/spamassassin.rc,v > retrieving revision 1.6 > diff -u -p -r1.6 spamassassin.rc > --- pkg/spamassassin.rc 11 Jan 2018 19:27:03 -0000 1.6 > +++ pkg/spamassassin.rc 25 Aug 2018 17:57:33 -0000 > @@ -7,6 +7,6 @@ daemon_flags="-u _spamdaemon -P" > > . /etc/rc.d/rc.subr > > -pexp="perl: ${daemon}${daemon_flags:+ ${daemon_flags}}" > +pexp="/usr/bin/perl -T -w ${daemon}${daemon_flags:+ ${daemon_flags}}" > > rc_cmd $1