Maintainer update to SpamAssassin 3.2.1. CVE reference: CVE-2007-2873 Description: A local user symlink-attack DoS vulnerability in SpamAssassin has been found, affecting versions 3.1.x, 3.2.0, and SVN trunk. It has been assigned CVE-2007-2873. Details: - It only affects systems where spamd is run as root, is used with vpopmail or virtual users via the "-v"/"--vpopmail" OR "--virtual-config-dir" switch, AND with the "-x"/"--no-user-config AND WITHOUT the "-u"/"--username" switch AND with the "-l"/"--allow-tell" switch. ports issues: sometimes SA files with error about Zlib versions unless EVERYTHING is > 2.04, so added dependency. Removed dependency tar (not needed anymore) Added in support for libspamc, eliminate using Encode.pm and sa-compile on 4.xx systems (doesn't compile) Spf needs p5-NetAddr-IP>=4.00.7 see http://www.freebsd.org/cgi/query-pr.cgi?pr=113638 Razor needs > 2.84 see http://www.freebsd.org/cgi/query-pr.cgi?pr=112522 fixed bug in regex for v320.pre Added warning about running spamd as root. needed to patch spamc/Makefile.in for !i386 systems Fix: patches attached. Patch attached with submission follows: How-To-Repeat: na
Responsible Changed From-To: freebsd-ports-bugs->beech I'll take it.
Hi! Beech is working on this PR and I'm helping him. We've got a few suggestions: On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote: > ports issues: > > sometimes SA files with error about Zlib versions unless > EVERYTHING is > 2.04, so added dependency. > Removed dependency tar (not needed anymore) What did you mean by dependency tar? Dependency on p5-Archive-Tar is still there. > Added in support for libspamc, eliminate using Encode.pm > and sa-compile on 4.xx systems (doesn't compile) - system will ignore installed shared libraries unless you also install them with .<version> number. We can fix this for you with an extra symlink if you want. - we don't accept fixes for 4.x anymore, please understand that we're not able to support obsolete versions, even if it seems that all we have to do is commit patches. Please keep them local. We can tweak it out of the patch. > + ${INSTALL_DATA} ${WRKSRC}/spamc/libspamc.so ${PREFIX}/lib > + ${INSTALL_DATA} ${WRKSRC}/spamc/libspamc.h ${PREFIX}/include > +.if !defined(WITHOUT_SSL) > + ${INSTALL_DATA} ${WRKSRC}/spamc/libsslspamc.so ${PREFIX}/lib > +.endif If you're installing it conditionally, it's entry in pkg-plist should also be conditional. If you're OK with our suggestions, please give us a green light and we'll try to get this update into tree as soon as possible. Thanks!
> -----Original Message----- > From: infofarmer@gmail.com [mailto:infofarmer@gmail.com] On=20 > Behalf Of Andrew Pantyukhin > Sent: Saturday, June 16, 2007 2:26 PM > To: Michael Scheidell; Beech Rintoul > Cc: bug-followup@freebsd.org > Subject: Re: ports/113719: [maintainer update] SpamAssassin to 3.2.1 >=20 >=20 > Hi! Beech is working on this PR and I'm helping him. We've=20 > got a few suggestions: >=20 > On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote: > > ports issues: > > > > sometimes SA files with error about Zlib versions unless=20 > EVERYTHING is=20 > > > 2.04, so added dependency. Removed dependency tar (not needed=20 > > anymore) >=20 > What did you mean by dependency tar? Dependency on=20 > p5-Archive-Tar is still there. >=20 Never mind, that was amavisd. Keep it there. > > Added in support for libspamc, eliminate using Encode.pm > > and sa-compile on 4.xx systems (doesn't compile) >=20 > - system will ignore installed shared libraries unless you > also install them with .<version> number. We can fix this > for you with an extra symlink if you want. Yes, thanks. > - we don't accept fixes for 4.x anymore, please understand > that we're not able to support obsolete versions, even if > it seems that all we have to do is commit patches. Please > keep them local. We can tweak it out of the patch. ;-) Ok. > If you're installing it conditionally, it's entry in > pkg-plist should also be conditional. >=20 > If you're OK with our suggestions, please give us a > green light and we'll try to get this update into tree > as soon as possible. Yes, thanks for your work. Can you look into some dependencies? (if they are commited, you can take the comments out of my makefile:)=20 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D113638 http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/112501 And the comment on Razor is no longer needed (it was comitted, thanks all. Ps, this should close as superceed: http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/113394 >=20 > Thanks! >=20 >=20 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________
On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote: > Yes, thanks for your work. Can you look into some dependencies? (if > they are commited, you can take the comments out of my makefile:) > http://www.freebsd.org/cgi/query-pr.cgi?pr=113638 > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/112501 I updated re2c by maintainer timeout, but the other update is still fresh. I've just noticed that you make it impossible to use SPF (without manual update of the dependency). As a maintainer, would you prefer to wait for a day or two while I'm trying to get tobez (the maintainer) to approve or commit the update, or would you rather we commit it sooner this way? Does it break completely if the version constraint is removed? > And the comment on Razor is no longer needed (it was comitted, thanks > all. OK. > Ps, this should close as superceed: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/113394 Done. Thanks!
> -----Original Message----- > From: infofarmer@gmail.com [mailto:infofarmer@gmail.com] On=20 > Behalf Of Andrew Pantyukhin > Sent: Saturday, June 16, 2007 4:01 PM > To: Michael Scheidell > Cc: Beech Rintoul; bug-followup@freebsd.org > Subject: Re: ports/113719: [maintainer update] SpamAssassin to 3.2.1 >=20 >=20 > On 6/16/07, Michael Scheidell <scheidell@secnap.net> wrote: > > Yes, thanks for your work. Can you look into some=20 > dependencies? (if=20 > > they are commited, you can take the comments out of my makefile:)=20 > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D113638 > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/112501 >=20 > I'm trying to get tobez (the maintainer) to approve or commit=20 > the update, or would you rather we commit it sooner this way?=20 > Does it break completely if the version constraint is removed? It's a pretty straight forward patch, so it will be approved soon anyway. Without it, it causes some pretty serious SPF issues, with SPF timingout and giving false answers, so leave it in (with the comment) by the time people start using it, tobez will probally have it done. _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _________________________________________________________________________
beech 2007-06-16 22:17:04 UTC FreeBSD ports repository Modified files: mail/p5-Mail-SpamAssassin Makefile distinfo pkg-message pkg-plist mail/p5-Mail-SpamAssassin/files patch-sa-compile.raw Added files: mail/p5-Mail-SpamAssassin/files patch-spamc-Makefile.in Log: - Update to 3.2.1 - Security fix. PR: ports/113719 Submitted by: Michael Scheidell <scheidell@secnap.net> (maintainer) Approved by: sat (mentor) Security: CVE-2007-2873 Revision Changes Path 1.107 +22 -11 ports/mail/p5-Mail-SpamAssassin/Makefile 1.39 +3 -3 ports/mail/p5-Mail-SpamAssassin/distinfo 1.2 +7 -6 ports/mail/p5-Mail-SpamAssassin/files/patch-sa-compile.raw 1.1 +20 -0 ports/mail/p5-Mail-SpamAssassin/files/patch-spamc-Makefile.in (new) 1.6 +7 -0 ports/mail/p5-Mail-SpamAssassin/pkg-message 1.39 +5 -0 ports/mail/p5-Mail-SpamAssassin/pkg-plist _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed (with minor changes), thanks!