ANNOUNCE: Apache SpamAssassin 3.4.5 available
On behalf of the Apache SpamAssassin Project, I am pleased to announce version 3.4.5 is available. Release Notes -- Apache SpamAssassin -- Version 3.4.5 Introduction Apache SpamAssassin 3.4.5 is primarily a security release. In this release, there are bug fixes for one CVE. *** On March 1, 2020, we stopped publishing rulesets with SHA-1 signatures. If you do not update to 3.4.2 or later, you will be stuck at the last ruleset with SHA-1 signatures. Such an upgrade should be to 3.4.5 to obtain the contained security fixes *** *** Ongoing development on the 3.4 branch has ceased. All future releases and bug fixes will be on the 4.0 series, unless a new security issue is found that necessitates a 3.4.6 release. *** Many thanks to the committers, contributors, rule testers, mass checkers, and code testers who have made this release possible. Notable features: = None noted. Notable changes --- In addition to the CVE which shall be announced separately, this release includes fixes for the following: - Improvements to OLEVBMacro and AskDNS plugins - Received and EnvelopeFrom headers matching improvements - userpref SQL schema fixes - rbl and hashbl evaluation improvements - fix for non working TxRep tag names - man page fixes New configuration options - None noted. Notable Internal changes None noted. Other updates - None noted. Optimizations - None noted. Downloading and availability Downloads are available from: https://spamassassin.apache.org/downloads.cgi sha256sum of archive files: 67edf87126af4869c2a42720fc3dbb34ce25285449ef1f3fc1ab712d2e0a5463 Mail-SpamAssassin-3.4.5.tar.bz2 a640842c5f3f468e3a21cbb9c555647306ec77807e57c5744ef0065e4a8675f6 Mail-SpamAssassin-3.4.5.tar.gz b60da76a6ad9178db60c680fa2597f76cdbf1de1393f3e34ea3d76f1168aece6 Mail-SpamAssassin-3.4.5.zip 2690aa131b79788ba756030af8746dd4531ab2c0cb56c0fe469f58d9dd043aad Mail-SpamAssassin-rules-3.4.5.r1887800.tgz sha512sum of archive files: 46096019ef3d2b6dadb7af0d076c22526786cccb669cd4bed131b64fa935863630ca9f3e78277bebba0ed75099be9fbce97a30a6478ed84093896a1ad3d8387a Mail-SpamAssassin-3.4.5.tar.bz2 76323d8a5be1f5451375adc8b7989f183e72d0fa52848a1356c3b7fb3da9a9328fe9f91bcc941228c2cb91180ed49583a9a8bebf1f00caf7ad898251af3b9ba3 Mail-SpamAssassin-3.4.5.tar.gz f903203f6ce29c14d1589648cb382e805926c62df1e8e9ee47bba78eaf168c133361fff927e40e15fe5592b4989a30e222e469ff72d4a638c179a330102174d1 Mail-SpamAssassin-3.4.5.zip d759ff2d6941a997e0b3f8db189d414c04eb07f63330f074a829bc0de26d8ea6c8c0e8e3d7efaabd0a1cede8ecc645059c7fd8c1ce5409656e0ca23b06e1 Mail-SpamAssassin-rules-3.4.5.r1887800.tgz Note that the *-rules-*.tgz files are only necessary if you cannot, or do not wish to, run "sa-update" after install to download the latest fresh rules. See the INSTALL and UPGRADE files in the distribution for important installation notes. GPG Verification Procedure -- The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the keys.gnupg.net or keys.openpgp.org key servers, as well as https://www.apache.org/dist/spamassassin/KEYS The following key is used to sign releases after, and including SA 3.3.0: pub 4096R/F7D39814 2009-12-02 Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814 uid SpamAssassin Project Management Committee uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) sub 4096R/7B3265A5 2009-12-02 The following key is used to sign rule updates: pub 4096R/5244EC45 2005-12-20 Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45 uid updates.spamassassin.org Signing Key sub 4096R/24F434CE 2005-12-20 To verify a release file, download the file with the accompanying .asc file and run the following commands: gpg --verbose --keyserver keys.gnupg.net --recv-key FDE52F40F7D39814 gpg --verify Mail-SpamAssassin-3.4.5.tar.bz2.asc gpg --fingerprint FDE52F40F7D39814 Then verify that the key matches the signature. Note that older versions of gnupg may not be able to complete the steps above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11 worked flawlessly. See https://www.apache.org/info/verification.html for more information on verifying Apache releases. About Apache SpamAssassin - Apache SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify spam. SpamAssassin uses a variety of mechanisms including mail header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. In addition, Apache SpamAssassin has a modular
[CVE-2020-1946] Apache SpamAssassin malicious rule configuration (.cf) files can be configured to run system commands
Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue. This issue has been assigned CVE id CVE-2020-1946 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the https://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://s.apache.org/ng9u9 [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 -- Sidney Markowitz Chair, Apache SpamAssassin PMC sid...@apache.org
[ANNOUNCE] Apache Qpid JMS 0.57.0 released
The Apache Qpid (http://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid JMS 0.57.0. This is the latest release of our newer JMS client supporting the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org), based around the Apache Qpid Proton protocol engine and implementing the AMQP JMS Mapping as it evolves at OASIS. The release is available now from our website: http://qpid.apache.org/download.html Binaries are also available via Maven Central: http://qpid.apache.org/maven.html Release notes can be found at: http://qpid.apache.org/releases/qpid-jms-0.57.0/release-notes.html Thanks to all involved, Robbie
The Apache® Software Foundation Celebrates 22 Years of Open Source Innovation "The Apache Way"
[this announcement is available online at https://s.apache.org/22ndAnniversay ] World's largest Open Source foundation provides $22B+ in community-led software 100% free of charge for the common good Wilmington, DE —24 March 2021— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today its 22nd Anniversary. Originally established by the 21-member Apache Group, who oversaw the then-3-year-old Apache HTTP Server, the ASF today is the world's largest, vendor-neutral, Open Source foundation, comprising 800+ individual Members, 8,100+ Committers, and 40,000+ code contributors located on every continent. Conservatively valued at more than $22B, Apache’s 350+ projects and 37 incubating podlings are all freely-available to the public-at-large, at 100% no cost, and with no licensing fees. "Over the past 22 years the ASF has evolved to meet the growing needs of the greater community," said Sander Striker, Board Chair of The Apache Software Foundation. "The ASF enables people from all over the world to collaborate, develop, and shepherd the projects and communities that are helping individuals, sustaining businesses, and transforming industries." Advancing its mission of providing software for the public good, the ASF's projects are integral to nearly every aspect of modern computing, benefitting billions worldwide. The "Apache Way" process of community-led, collaborative development has led to breakthrough innovations in Artificial Intelligence and Deep Learning, Big Data, Build Management, Cloud Computing, Content Delivery and Management, Edge Computing and IoT, Fintech, Identity Management, Integration, Libraries, Messaging, Mobile, Search, Security, Servers, and Web Frameworks, among other categories. Projects undergoing development in the Apache Incubator span AI, Big Data, blockchain, Cloud computing, cryptography, deep learning, email, IoT, machine learning, microservices, mobile, operating systems, testing, visualization, and more. Nearly half a million people participate in ASF projects and initiatives, including ApacheCon, the ASF's official global conference series; Community Development, which oversees contributor onboarding and mentoring and programs such as Google Summer of Code; and Diversity & Inclusion, whose programs promote diversity, equity, and inclusion across the greater Apache community. The ASF's influence is everywhere —countless ubiquitous and mission-critical applications across dozens of industries are powered by Apache projects; the Apache License 2.0 was the top-ranked Open Source license in 2020 (source: WhiteSource); the Apache Way is the backbone for open development and inner source environments; and new users, developers, and enthusiasts are onboarding to the greater Apache community every day (the ASF has been a Google Summer of Code mentoring organization for the past 16 years, since the program's inception). The ASF is the top-ranked Open Source not-for-profit organization with the most stars on GitHub (source: GitHub). A just-released feature on the ASF in FOSSlife [1] states, "The Apache project has undeniably changed the world … Apache remains a crucial Web server, the most popular in the field. For building Open Source communities, the lessons learned by creating the project still resonate throughout the open source world. Every project is advised to respect the Apache value of 'community over code'." ASF operations bolster Apache projects and their communities with infrastructure support, bandwidth, connectivity, servers, hardware, development environments, legal counsel, accounting services, trademark protection, marketing and publicity, educational events, and related administrative assistance. As a United States private 501(c)(3) not-for-profit charitable organization, the ASF's day-to-day operating expenses are offset through tax-deductible sponsorships, corporate contributions, and individual donations. Current ASF Sponsors are: Platinum: Amazon Web Services, Facebook, Google, Huawei, Microsoft, Namebase, Pineapple Fund, Tencent, and Verizon Media. Gold: Anonymous, Baidu, Bloomberg, Cloudera, Confluent, IBM, Indeed, Reprise Software, Union Investment, and Workday. Silver: Aetna, Alibaba Cloud Computing, Capital One, Comcast, Didi Chuxing, Red Hat, and Target. Bronze: Bestecasinobonussen.nl, Bookmakers, Casino2k, Cerner, Curity, GridGain, Gundry MD, Host Advice, HotWax Systems, Journal Review, LeoVegas Indian Online Casino, Miro-Kredit AG, Mutuo Kredit AG, Online Holland Casino, ProPrivacy, PureVPN, RX-M, RenaissanceRe, SCAMS.info, SevenJackpots.com, Start a Blog by Ryan Robinson, Talend, The Best VPN, The Blog Starter, The Economic Secretariat, Top10VPN, Twitter, and Writers Per Hour. Targeted Platinum: Amazon Web Services, CloudBees, DLA Piper, Fastly, JetBrains, Leaseweb, Microsoft, OSU Open