Bug 113719 - [maintainer update] mail/p5-mail-SpamAssassin to 3.2.1
Summary: [maintainer update] mail/p5-mail-SpamAssassin to 3.2.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Beech Rintoul
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-15 21:40 UTC by Michael Scheidell
Modified: 2007-06-16 23:21 UTC (History)
0 users

See Also:


Attachments
file.diff (7.41 KB, patch)
2007-06-15 21:40 UTC, Michael Scheidell
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Scheidell 2007-06-15 21:40:03 UTC
Maintainer update to SpamAssassin 3.2.1.

CVE reference: CVE-2007-2873

Description:

A local user symlink-attack DoS vulnerability in SpamAssassin has been found,
affecting versions 3.1.x, 3.2.0, and SVN trunk.  It has been assigned
CVE-2007-2873. Details:

- It only affects systems where spamd is run as root, is used with vpopmail or
  virtual users via the "-v"/"--vpopmail" OR "--virtual-config-dir" switch, AND
  with the "-x"/"--no-user-config AND WITHOUT the "-u"/"--username" switch AND
  with the "-l"/"--allow-tell" switch.

ports issues:

sometimes SA files with error about Zlib versions unless EVERYTHING is > 2.04, so added dependency.
Removed dependency tar (not needed anymore)

Added in support for libspamc, eliminate using Encode.pm and sa-compile on 4.xx systems (doesn't compile)

Spf needs p5-NetAddr-IP>=4.00.7
see http://www.freebsd.org/cgi/query-pr.cgi?pr=113638

Razor needs > 2.84
see http://www.freebsd.org/cgi/query-pr.cgi?pr=112522
fixed bug in regex for v320.pre

Added warning about running spamd as root.

needed to patch spamc/Makefile.in for !i386 systems

Fix: patches attached.



Patch attached with submission follows:
How-To-Repeat: na
Comment 1 Beech Rintoul freebsd_committer freebsd_triage 2007-06-15 23:09:40 UTC
Responsible Changed
From-To: freebsd-ports-bugs->beech

I'll take it.
Comment 2 Andrew Pantyukhin freebsd_committer freebsd_triage 2007-06-16 19:26:06 UTC
Hi! Beech is working on this PR and I'm helping him. We've got
a few suggestions:

On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote:
> ports issues:
>
> sometimes SA files with error about Zlib versions unless
> EVERYTHING is > 2.04, so added dependency.
> Removed dependency tar (not needed anymore)

What did you mean by dependency tar? Dependency on
p5-Archive-Tar is still there.

> Added in support for libspamc, eliminate using Encode.pm
> and sa-compile on 4.xx systems (doesn't compile)

- system will ignore installed shared libraries unless you
  also install them with .<version> number. We can fix this
  for you with an extra symlink if you want.
- we don't accept fixes for 4.x anymore, please understand
  that we're not able to support obsolete versions, even if
  it seems that all we have to do is commit patches. Please
  keep them local. We can tweak it out of the patch.

> +       ${INSTALL_DATA} ${WRKSRC}/spamc/libspamc.so ${PREFIX}/lib
> +       ${INSTALL_DATA} ${WRKSRC}/spamc/libspamc.h ${PREFIX}/include
> +.if !defined(WITHOUT_SSL)
> +       ${INSTALL_DATA} ${WRKSRC}/spamc/libsslspamc.so ${PREFIX}/lib
> +.endif

If you're installing it conditionally, it's entry in
pkg-plist should also be conditional.

If you're OK with our suggestions, please give us a
green light and we'll try to get this update into tree
as soon as possible.

Thanks!
Comment 3 Michael Scheidell 2007-06-16 19:35:33 UTC
> -----Original Message-----
> From: infofarmer@gmail.com [mailto:infofarmer@gmail.com] On=20
> Behalf Of Andrew Pantyukhin
> Sent: Saturday, June 16, 2007 2:26 PM
> To: Michael Scheidell; Beech Rintoul
> Cc: bug-followup@freebsd.org
> Subject: Re: ports/113719: [maintainer update] SpamAssassin to 3.2.1
>=20
>=20
> Hi! Beech is working on this PR and I'm helping him. We've=20
> got a few suggestions:
>=20
> On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote:
> > ports issues:
> >
> > sometimes SA files with error about Zlib versions unless=20
> EVERYTHING is=20
> > > 2.04, so added dependency. Removed dependency tar (not needed=20
> > anymore)
>=20
> What did you mean by dependency tar? Dependency on=20
> p5-Archive-Tar is still there.
>=20

Never mind, that was amavisd.  Keep it there.

> > Added in support for libspamc, eliminate using Encode.pm
> > and sa-compile on 4.xx systems (doesn't compile)
>=20
> - system will ignore installed shared libraries unless you
>   also install them with .<version> number. We can fix this
>   for you with an extra symlink if you want.

Yes, thanks.

> - we don't accept fixes for 4.x anymore, please understand
>   that we're not able to support obsolete versions, even if
>   it seems that all we have to do is commit patches. Please
>   keep them local. We can tweak it out of the patch.
;-)
Ok.

> If you're installing it conditionally, it's entry in
> pkg-plist should also be conditional.
>=20
> If you're OK with our suggestions, please give us a
> green light and we'll try to get this update into tree
> as soon as possible.


Yes, thanks for your work.  Can you look into some dependencies? (if
they are commited, you can take the comments out of my makefile:)=20
http://www.freebsd.org/cgi/query-pr.cgi?pr=3D113638
http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/112501

And the comment on Razor is no longer needed (it was comitted, thanks
all.

Ps, this should close as superceed:
http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/113394

>=20
> Thanks!
>=20
>=20
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Comment 4 Andrew Pantyukhin freebsd_committer freebsd_triage 2007-06-16 21:00:54 UTC
On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote:
> Yes, thanks for your work.  Can you look into some dependencies? (if
> they are commited, you can take the comments out of my makefile:)
> http://www.freebsd.org/cgi/query-pr.cgi?pr=113638
> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/112501

I updated re2c by maintainer timeout, but the other update
is still fresh. I've just noticed that you make it impossible
to use SPF (without manual update of the dependency). As a
maintainer, would you prefer to wait for a day or two while
I'm trying to get tobez (the maintainer) to approve or commit
the update, or would you rather we commit it sooner this way?
Does it break completely if the version constraint is removed?

> And the comment on Razor is no longer needed (it was comitted, thanks
> all.

OK.

> Ps, this should close as superceed:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/113394

Done.

Thanks!
Comment 5 Michael Scheidell 2007-06-16 21:26:25 UTC
> -----Original Message-----
> From: infofarmer@gmail.com [mailto:infofarmer@gmail.com] On=20
> Behalf Of Andrew Pantyukhin
> Sent: Saturday, June 16, 2007 4:01 PM
> To: Michael Scheidell
> Cc: Beech Rintoul; bug-followup@freebsd.org
> Subject: Re: ports/113719: [maintainer update] SpamAssassin to 3.2.1
>=20
>=20
> On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote:
> > Yes, thanks for your work.  Can you look into some=20
> dependencies? (if=20
> > they are commited, you can take the comments out of my makefile:)=20
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D113638
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/112501
>=20
> I'm trying to get tobez (the maintainer) to approve or commit=20
> the update, or would you rather we commit it sooner this way?=20
> Does it break completely if the version constraint is removed?

It's a pretty straight forward patch, so it will be approved soon
anyway.

Without it, it causes some pretty serious SPF issues, with SPF timingout
and giving false answers, so leave it in (with the comment) by the time
people start using it, tobez will probally have it done.
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Comment 6 dfilter service freebsd_committer freebsd_triage 2007-06-16 23:17:09 UTC
beech       2007-06-16 22:17:04 UTC

  FreeBSD ports repository

  Modified files:
    mail/p5-Mail-SpamAssassin Makefile distinfo pkg-message 
                              pkg-plist 
    mail/p5-Mail-SpamAssassin/files patch-sa-compile.raw 
  Added files:
    mail/p5-Mail-SpamAssassin/files patch-spamc-Makefile.in 
  Log:
  - Update to 3.2.1
  - Security fix.
  
  PR:             ports/113719
  Submitted by:   Michael Scheidell <scheidell@secnap.net> (maintainer)
  Approved by:    sat (mentor)
  Security:       CVE-2007-2873
  
  Revision  Changes    Path
  1.107     +22 -11    ports/mail/p5-Mail-SpamAssassin/Makefile
  1.39      +3 -3      ports/mail/p5-Mail-SpamAssassin/distinfo
  1.2       +7 -6      ports/mail/p5-Mail-SpamAssassin/files/patch-sa-compile.raw
  1.1       +20 -0     ports/mail/p5-Mail-SpamAssassin/files/patch-spamc-Makefile.in (new)
  1.6       +7 -0      ports/mail/p5-Mail-SpamAssassin/pkg-message
  1.39      +5 -0      ports/mail/p5-Mail-SpamAssassin/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 7 Beech Rintoul freebsd_committer freebsd_triage 2007-06-16 23:20:43 UTC
State Changed
From-To: open->closed

Committed (with minor changes), thanks!