--- lib/Mail/SpamAssassin/DnsResolver.pm	2015/07/20 18:23:18	1691991

+++ lib/Mail/SpamAssassin/DnsResolver.pm	2015/07/20 18:24:48	1691992

@@ -592,6 +592,9 @@

   };

   if ($packet) {

+    # RD flag needs to be set explicitly since Net::DNS 1.01, Bug 7223	

+    $packet->header->rd(1);

+

   # my $udp_payload_size = $self->{res}->udppacketsize;

     my $udp_payload_size = $self->{conf}->{dns_options}->{edns};

     if ($udp_payload_size && $udp_payload_size > 512) {

--- spamc/libspamc.c.orig

+++ spamc/libspamc.c

@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,

     unsigned int throwaway;

     SSL_CTX *ctx = NULL;

     SSL *ssl = NULL;

-    SSL_METHOD *meth;

+    const SSL_METHOD *meth;

     char zlib_on = 0;

     unsigned char *zlib_buf = NULL;

     int zlib_bufsiz = 0;

@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,

     if (flags & SPAMC_USE_SSL) {

 #ifdef SPAMC_SSL

 	SSLeay_add_ssl_algorithms();

-	if (flags & SPAMC_TLSV1) {

-	    meth = TLSv1_client_method();

-	} else {

-	    meth = SSLv3_client_method(); /* default */

-	}

+	meth = SSLv23_client_method();

 	SSL_load_error_strings();

 	ctx = SSL_CTX_new(meth);

 #else

@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c

     int failureval;

     SSL_CTX *ctx = NULL;

     SSL *ssl = NULL;

-    SSL_METHOD *meth;

+    const SSL_METHOD *meth;

     assert(tp != NULL);

     assert(m != NULL);

@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c

     if (flags & SPAMC_USE_SSL) {

 #ifdef SPAMC_SSL

 	SSLeay_add_ssl_algorithms();

-	meth = SSLv3_client_method();

+	meth = SSLv23_client_method();

 	SSL_load_error_strings();

 	ctx = SSL_CTX_new(meth);

 #else

--- spamc/spamc.c.orig

+++ spamc/spamc.c

@@ -368,16 +368,11 @@ read_args(int argc, char **argv,

             case 'S':

             {

                 flags |= SPAMC_USE_SSL;

-		if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {

-		    flags |= SPAMC_SSLV3;

-		}

-		else if (strcmp(spamc_optarg,"tlsv1") == 0) {

-		    flags |= SPAMC_TLSV1;

-		}

-		else {

-		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);

-		    ret = EX_USAGE;

-		}

+                if(spamc_optarg) {

+                    libspamc_log(flags, LOG_ERR,

+                        "Explicit specification of an SSL/TLS version no longer supported.");

+                    ret = EX_USAGE;

+                }

                 break;

             }

 #endif

--- spamd/spamd.raw.orig

+++ spamd/spamd.raw

@@ -409,7 +409,6 @@ GetOptions(

   'sql-config!'              => \$opt{'sql-config'},

   'ssl'                      => \$opt{'ssl'},

   'ssl-port=s'               => \$opt{'ssl-port'},

-  'ssl-version=s'            => \$opt{'ssl-version'},

   'syslog-socket=s'          => \$opt{'syslog-socket'},

   'syslog|s=s'               => \$opt{'syslog'},

   'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},

@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) {

 # Do whitelist later in tmp dir. Side effect: this will be done as -u user.

-my $sslversion = $opt{'ssl-version'} || 'sslv3';

-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {

-  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";

-}

-

 $opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";

 $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";

@@ -899,9 +893,8 @@ sub compose_listen_info_string {

                       $socket_info->{ip_addr}, $socket_info->{port}));

     } elsif ($socket->isa('IO::Socket::SSL')) {

-      push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",

-                      $socket_info->{ip_addr}, $socket_info->{port},

-                      $opt{'ssl-version'}||'sslv3'));

+      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},

+                      $socket_info->{port}));

     }

   }

@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet {

     $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'

                              && IO::Socket::IP->VERSION >= 0.09;

     %sockopt = (%sockopt, (

-      SSL_version     => $sslversion,

       SSL_verify_mode => 0x00,

       SSL_key_file    => $opt{'server-key'},

       SSL_cert_file   => $opt{'server-cert'},

@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet {

     if (!$server_inet) {

       $diag = sprintf("could not create %s socket on [%s]:%s: %s",

                       $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,

-                      $adr, $port, $!);

+                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?

+                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);

       push(@diag_fail, $diag);

     } else {

       $diag = sprintf("created %s socket on [%s]:%s",

@@ -3238,7 +3231,6 @@ Options:

  -H [dir], --helper-home-dir[=dir] Specify a different HOME directory

  --ssl                             Enable SSL on TCP connections

  --ssl-port port                   Override --port setting for SSL connections

- --ssl-version sslversion          Specify SSL protocol version to use

  --server-key keyfile              Specify an SSL keyfile

  --server-cert certfile            Specify an SSL certificate

  --socketpath=path                 Listen on a given UNIX domain socket

@@ -3727,14 +3719,6 @@ Optionally specifies the port number for

 SSL connections (default: whatever --port uses).  See B<--ssl> for

 more details.

-=item B<--ssl-version>=I<sslversion>

-

-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.

-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or

-higher hello handshake, then negotiating use of SSLv3 or TLSv1

-protocol if the client can accept it.  Specifying B<--ssl-version>

-implies B<--ssl>.

-

 =item B<--server-key> I<keyfile>

 Specify the SSL key file to use for SSL connections.

--- spamc/spamc.pod.orig

+++ spamc/spamc.pod

@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a

 Sleep for I<sleep> seconds between failed spamd filtering attempts.

 The default is 1 second.

-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>

+=item B<-S>, B<--ssl>, B<--ssl>

 If spamc was built with support for SSL, encrypt data to and from the

 spamd process with SSL; spamd must support SSL as well.

-I<sslversion> specifies the SSL protocol version to use, either

-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.

 =item B<-t> I<timeout>, B<--timeout>=I<timeout>

--- t/spamd_ssl_tls.t.orig

+++ t/spamd_ssl_tls.t

@@ -1,28 +0,0 @@ 

-#!/usr/bin/perl

-

-use lib '.'; use lib 't';

-use SATest; sa_t_init("spamd_ssl_tls");

-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

-

-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

-

-# ---------------------------------------------------------------------------

-

-%patterns = (

-

-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',

-q{ Subject: There yours for FREE!}, 'subj',

-q{ X-Spam-Status: Yes, score=}, 'status',

-q{ X-Spam-Flag: YES}, 'flag',

-q{ X-Spam-Level: **********}, 'stars',

-q{ TEST_ENDSNUMS}, 'endsinnums',

-q{ TEST_NOREALNAME}, 'noreal',

-q{ This must be the very last line}, 'lastline',

-

-

-);

-

-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",

-           "--ssl=tlsv1 < data/spam/001",

-           \&patterns_run_cb));

-ok_all_patterns();

--- t/spamd_ssl_v3.t.orig

+++ t/spamd_ssl_v3.t

@@ -1,28 +0,0 @@ 

-#!/usr/bin/perl

-

-use lib '.'; use lib 't';

-use SATest; sa_t_init("spamd_sslv3");

-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

-

-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

-

-# ---------------------------------------------------------------------------

-

-%patterns = (

-

-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',

-q{ Subject: There yours for FREE!}, 'subj',

-q{ X-Spam-Status: Yes, score=}, 'status',

-q{ X-Spam-Flag: YES}, 'flag',

-q{ X-Spam-Level: **********}, 'stars',

-q{ TEST_ENDSNUMS}, 'endsinnums',

-q{ TEST_NOREALNAME}, 'noreal',

-q{ This must be the very last line}, 'lastline',

-

-

-);

-

-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",

-           "--ssl=sslv3 < data/spam/001",

-           \&patterns_run_cb));

-ok_all_patterns();

--- t/spamd_ssl_accept_fail.t.orig

+++ t/spamd_ssl_accept_fail.t

@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la

 );

-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));

+ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));

 ok (spamcrun ("< data/spam/001", \&patterns_run_cb));

-ok (spamcrun ("--ssl=sslv3  < data/spam/001", \&patterns_run_cb));

+ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));

 ok (stop_spamd ());

 ok_all_patterns();

--- t/spamd_ssl.t.orig

+++ t/spamd_ssl.t

@@ -2,10 +2,7 @@ 

 use lib '.'; use lib 't';

 use SATest; sa_t_init("spamd_ssl");

-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),

-    onfail => sub {

-	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .

-	    "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };

+use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

 exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

--- MANIFEST.orig

+++ MANIFEST

@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t

 t/spamd_sql_prefs.t

 t/spamd_ssl.t

 t/spamd_ssl_accept_fail.t

-t/spamd_ssl_tls.t

-t/spamd_ssl_v3.t

 t/spamd_stop.t

 t/spamd_symbols.t

 t/spamd_syslog.t

--- lib/Mail/SpamAssassin/Plugin/URILocalBL.pm	2015/06/10 12:15:22	1684652

+++ lib/Mail/SpamAssassin/Plugin/URILocalBL.pm	2015/06/10 12:18:50	1684653

@@ -350,7 +350,7 @@

     # look for W3 links only

     next unless (defined $info->{types}->{a});

-    while (my($host, $domain) = each $info->{hosts}) {

+    while (my($host, $domain) = each %{$info->{hosts}}) {

       # skip if the domain name was matched

       if (exists $rule->{exclusions} && exists $rule->{exclusions}->{$domain}) {

@@ -374,7 +374,7 @@

         }

         if (exists $rule->{countries}) {

-          dbg("check: uri_local_bl countries %s\n", join(' ', sort keys $rule->{countries}));

+          dbg("check: uri_local_bl countries %s\n", join(' ', sort keys %{$rule->{countries}}));

           my $cc = $self->{geoip}->country_code_by_addr($ip);

@@ -403,7 +403,7 @@

         }

         if (exists $rule->{isps}) {

-          dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ . '"'; } sort keys $rule->{isps}));

+          dbg("check: uri_local_bl isps %s\n", join(' ', map { '"' . $_ . '"'; } sort keys %{$rule->{isps}}));

           my $isp = $self->{geoisp}->isp_by_name($ip);

--- lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm	2015/08/04 23:14:23	1694125

+++ lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm	2015/08/04 23:16:38	1694126

@@ -942,9 +942,8 @@

     next unless (defined($str) && defined($dom));

     dbg("uridnsbl: got($j) NS for $dom: $str");

-    if ($str =~ /IN\s+NS\s+(\S+)/) {

-      my $nsmatch = lc $1;

-      $nsmatch =~ s/\.$//;

+    if ($rr->type eq 'NS') {

+      my $nsmatch = lc $rr->nsdname;  # available since at least Net::DNS 0.14

       my $nsrhblstr = $nsmatch;

       my $fullnsrhblstr = $nsmatch;

@@ -1025,9 +1024,9 @@

     }

     dbg("uridnsbl: complete_a_lookup got(%d) A for %s: %s", $j,$hname,$str);

-    local $1;

-    if ($str =~ /IN\s+A\s+(\S+)/) {

-      $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $1);

+    if ($rr->type eq 'A') {

+      my $ip_address = $rr->rdatastr;

+      $self->lookup_dnsbl_for_ip($pms, $ent->{obj}, $ip_address);

     }

   }

 }

--- lib/Mail/SpamAssassin/DnsResolver.pm	(revision 1715195)

+++ lib/Mail/SpamAssassin/DnsResolver.pm	(working copy)

@@ -725,6 +725,37 @@

 ###########################################################################

+=item $id = $res->bgread()

+

+Similar to C<Net::DNS::Resolver::bgread>.  Reads a DNS packet from

+a supplied socket, decodes it, and returns a Net::DNS::Packet object

+if successful.  Dies on error.

+

+=cut

+

+sub bgread() {

+  my ($self) = @_;

+  my $sock = $self->{sock};

+  my $packetsize = $self->{res}->udppacketsize;

+  $packetsize = 512  if $packetsize < 512;  # just in case

+  my $data = '';

+  my $peeraddr = $sock->recv($data, $packetsize+256);  # with some size margin for troubleshooting

+  defined $peeraddr or die "bgread: recv() failed: $!";

+  my $peerhost = $sock->peerhost;

+  $data ne '' or die "bgread: received empty packet from $peerhost";

+  dbg("dns: bgread: received %d bytes from %s", length($data), $peerhost);

+  my($answerpkt, $decoded_length) = Net::DNS::Packet->new(\$data);

+  $answerpkt or die "bgread: decoding DNS packet failed: $@";

+  $answerpkt->answerfrom($peerhost);

+  if ($decoded_length ne length($data)) {

+    warn sprintf("bgread: received a %d bytes packet from %s, decoded %d bytes\n",

+                 length($data), $peerhost, $decoded_length);

+  }

+  return $answerpkt;

+}

+

+###########################################################################

+

 =item $nfound = $res->poll_responses()

 See if there are any C<bgsend> reply packets ready, and return

@@ -772,13 +803,25 @@

     $timeout = 0;  # next time around collect whatever is available, then exit

     last  if $nfound == 0;

-    my $packet = $self->{res}->bgread($self->{sock});

+    my $packet;

+    eval {

+      $packet = $self->bgread();

+    } or do {

+      undef $packet;

+      my $eval_stat = $@ ne '' ? $@ : "errno=$!";  chomp $eval_stat;

+      # resignal if alarm went off

+      die $eval_stat  if $eval_stat =~ /__alarm__ignore__\(.*\)/s;

+      info("dns: bad dns reply: %s", $eval_stat);

+    };

+#   Bug 7265, use our own bgread()

+#   my $packet = $self->{res}->bgread($self->{sock});

+

     if (!$packet) {

-      my $dns_err = $self->{res}->errorstring;

-      # resignal if alarm went off

-      die "dns (3) $dns_err\n"  if $dns_err =~ /__alarm__ignore__\(.*\)/s;

-      info("dns: bad dns reply: $dns_err");

+      # error already reported above

+#     my $dns_err = $self->{res}->errorstring;

+#     die "dns (3) $dns_err\n"  if $dns_err =~ /__alarm__ignore__\(.*\)/s;

+#     info("dns: bad dns reply: $dns_err");

     } else {

       my $header = $packet->header;

       if (!$header) {

--- lib/Mail/SpamAssassin/Plugin/DKIM.pm	(revision 1715196)

+++ lib/Mail/SpamAssassin/Plugin/DKIM.pm	(working copy)

@@ -794,7 +794,8 @@

         # Only do so if EDNS0 provides a reasonably-sized UDP payload size,

         # as our interface does not provide a DNS fallback to TCP, unlike

         # the Net::DNS::Resolver::send which does provide it.

-        my $res = $self->{main}->{resolver}->get_resolver;

+        my $res = $self->{main}->{resolver};

+        dbg("dkim: providing our own resolver: %s", ref $res);

         Mail::DKIM::DNS::resolver($res);

       }

     }

--- lib/Mail/SpamAssassin/PerMsgStatus.pm

+++ lib/Mail/SpamAssassin/PerMsgStatus.pm

@@ -916,16 +916,16 @@

     $str .= shift @{$ary};

   }

   undef $ary;

-  chomp ($str); $str .= " [...]\n";

   # in case the last line was huge, trim it back to around 200 chars

   local $1;

-  $str =~ s/^(.{,200}).*$/$1/gs;

+  $str =~ s/^(.{200}).+$/$1 [...]/gm;

+  chomp ($str); $str .= "\n";

   # now, some tidy-ups that make things look a bit prettier

-  $str =~ s/-----Original Message-----.*$//gs;

+  $str =~ s/-----Original Message-----.*$//gm;

   $str =~ s/This is a multi-part message in MIME format\.//gs;

-  $str =~ s/[-_\*\.]{10,}//gs;

+  $str =~ s/[-_*.]{10,}//gs;

   $str =~ s/\s+/ /gs;

   # add "Content preview:" ourselves, so that the text aligns

%%SITE_PERL%%/Mail/SpamAssassin/Util/RegistrarBoundaries.pm

%%PERL5_MAN3%%/Mail::SpamAssassin::Util::RegistrarBoundaries.3.gz