From relson at osagesoftware.com Fri Jul 9 01:34:12 2010 From: relson at osagesoftware.com (David Relson) Date: Thu, 8 Jul 2010 21:34:12 -0400 Subject: bogofilter-1.2.2 - new current release Message-ID: <20100708213412.68394099@osage.osagesoftware.com> Bogofilter v1.2.2 is now available. This release fixes a security fix and several minor bugs and cleanups. A heap corruption caused by invalid base64 input has been fixed. A better PRNG is now being used. Support has been updated for Berkeley 4.8 and 5.0 Minimum supported version of SQLite3 has been bumped. Miscellaneous clang and compiler warnings have been fixed. ######################################################################## Files are available at http://sourceforge.net/projects/bogofilter for download. Here are the md5sums for the release: 0d77f9bf9f73d0555cac751088de6d2e bogofilter-1.2.2-1.src.rpm 4bcabdf8c5e7efefcb508eda7e80eebc bogofilter-1.2.2.tar.bz2 39d27c13eae8a5064d68e20d585e60de bogofilter-1.2.2.tar.gz 91e1e120f7815c66735838f149d4020d bogofilter-db42-1.2.2-1.i586.rpm 2d8923111a5a2d08fb36c5827881d41c bogofilter-db42-static-1.2.2-1.i586.rpm ef9a99b71e400b1ba5410222e5a9befb bogofilter-sqlite3-1.2.2-1.i586.rpm 79cb331dfa4e4400ef8fb22007a7626e bogofilter-sqlite3-static-1.2.2-1.i586.rpm ######################################################################## Here's the cumulative change log since 1.1.0: ================= BOGOFILTER NEWS ================= !!!!!!!! READ THE RELEASE.NOTES !!!!!!!! This file is in Unicode charset, with UTF-8 encoding. Sections headed '[Incompat ]' and '[Major ]' are particularly important. They describe changes that are incompatible with earlier releases or are significantly different. !!!!!!!! READ THE RELEASE.NOTES !!!!!!!! ------------------------------------------------------------------------------- 1.2.2 2010-10-08 (released) 2010-07-05 * Use a better PRNG for random sleeps. That is arc4random() where available, and drand48() elsewhere. * Assorted fixes for issues found with clang analyzer: + Fix a potential NULL deference + Fix a potential division by zero + Remove dead assignments and increments * Update Doxyfile and source contrib/bogogrep.c for docs, too. 2010-07-03 * Security bugfix, CVE-2010-2494: Fix a heap corruption in base64 decoder on invalid input. Analysis and patch by Julius Plenz . Please see doc/bogofilter-SA-2010-01 for details. 2010-04-07 * Updated sendmail milter contrib/bogofilter-milter.pl to v1.?????? (thanks to Jonathan Kamens) 2010-04-01 * Bump supported/minimum SQLite3 versions and warning threshold. See doc/README.sqlite for details. * Mark BerkeleyDB 4.8.26 and 5.0.21 supported. Note that Berkeley DB 5.0's SQLite3 compatibility API is NOT supported, it causes shifts in scores and write failures under contention. Bogofilter can use Berkeley DB 5.0's native interface, and using that is more efficient than the added SQL shim layer. 2010-03-06 * Make t.maint more robust; ignore .ENCODING token. To fix test failures on, for instance, FreeBSD with unicode enabled. 2010-02-15 * Fix several compiler warnings "array subscript has type 'char'", by casting the arguments to unsigned char. A security audit was conducted and showed that all affected functions either received the relevant input from the user running bogofilter, or the input had already been pre-validated by the token lexer. 2010-02-14 * Split error messages for ENOENT and EINVAL into new function. * Avoid divison by zero in robx computation by checking if there are at least one ham message and one spam message registered. 2009-08-13 * contrib/spamitarium.pl updated to version 0.4.0 (thanks to Tom Anderson) 2009-08-05 * Updated and integrated Ted Phelps's "Patch to prevent .ENCODING from being discarded by bogoutil -m" (SourceForge Patch #1743984). Thanks to Ted for debugging the issue and providing the patch (which was for bogofilter v1.1.5). 2009-09-15 * Promoted to "stable" 1.2.1 2009-08-01 (released) 2009-08-01 * Update configure to use "host" rather than "target", to match the newer autotools cross-build semantics. Untested. Developers changing the build system and users who build from SVN will now need automake 1.9 and autoconf 2.60. 2009-07-31 * Fix Christian Frommeyer's MIME decoding bug, Ubuntu/Launchpad Bug #320829. As a side effect, also fixes misattribution of MIME bodies as MIME headers with mime: tag. Original bug report: https://bugs.launchpad.net/ubuntu/+source/bogofilter/+bug/320829 Before this fix, bogofilter did not properly MIME-decode the first line in a body. This was especially bad with Christian's samples where the whole body was only one long base64 line. 2009-05-28 * Removed two scripts that are auto-built. * Added test case for Stephen Davies' Q-P EOL problem (see below). 2009-05-25 * Fixed EOL problem in quoted_printable text. Problem reported by Stephen Davies and identified by Pavel Kankovsky. 2009-03-28 * Promoted to "stable" 1.2.0 2009-02-21 (released) 2009-02-20 * Flex-2.5.35 has fix for memory allocation problem in 2.5.4, 2.5.31, and 2.5.33, making bogofilter's flex patch obsolete. 2009-02-12 * Bogofilter now uses listsort in place of qsort. 2009-01-31 * Added token-count=n, token-count-min=n, and token-count-max=n options. * Minor code cleanups. 2009-01-21 * spamitarium.pl updated to version 0.3.0 (thanks to Tom Anderson) 2009-01-11 * For compatibility with Sun's Sun Studio 12 compiler, provide a name for the anonymous union in typedef word_t. Patch provided by Jack Bailey. 2008-10-20 * update bf_compact documentation by removing explicit Berkeley DB references, as it has been fixed to work with other database drivers in March 2008. 2008-10-15 * bf_compact, bf_copy and bf_tar now support transformed program names (fixes Debian Bug#501947). * Update sqlite3 adaptor to take advantage of sqlite3_prepare_v2() API function that appeared in SQLite 3.3.9. The new _v2 interface allows for more specific error messages when executing SQL statements. Also enable extended result codes for more precise error reporting. 2008-07-21 * Update doc/integrating-with-postfix: the script now suggests sendmail -G -i (where -G will be ignored by Postfix before 2.3) to tell Postfix it's a gateway submission, not an original injection; the filter pipe(8) magic for master.cf now suggests flags=Rq (was flags=R), as per Postfix's FILTER_README. 2008-07-09 * Drop support for systems that reverse setvbuf arguments. The last systems to do that are reported to be shipped in 1987 by the autoconf manual, so ditch them. 2008-05-18 * Promoted to "stable" 1.1.7 2008-05-04 (released) 2008-04-30 * Updated sendmail milter contrib/bogofilter-milter.pl to v1.45 (thanks to Jonathan Kamens) 2008-04-28 * Added maildir training info to English and French FAQs. (thanks to Karl Schmidt and to Mouss) 2008-04-26 * Fix uninitialized variable in lexer.c when unicode is disabled. Patch provided by Roman Trunov. 2008-04-20 * In process_arg functions use the val parameter rather than optarg. Patch provided by Roman Trunov. 2008-04-18 * Function process_arg now has the same prototype for bogofilter, bogolexer, bogoutil, and bogotune. The proper version is called by function read_config_file for all programs. Problem reported by Roman Trunov. 2008-04-17 * Update Doxyfile for doxygen v1.5.5 2008-04-16 * Fixed syntax errors in t.valgrind test 2008-03-21 * bf_compact now supports compacting databases that use QDBM, Tokyo Cabinet or SQLite3 and is covered by the test suite. 2008-03-19 * bf_compact now verifies databases before dumping them, to avoid getting into an unterminated loop and wasting all diskspace. * Bogoupgrade now verifies databases before dumping them, to avoid getting into an unterminated loop and burning all memory or disk space when the database is corrupt. This should fix Debian Bug#226643 and Debian Bug#226646. * Bogoupgrade now uses Pod::Usage to print usage/help, prints error messages that are a bit more concise and validates arguments a bit stricter. 2008-02-08 * Bump required sqlite version to 3.5.4, earlier versions could sometimes corrupt the database. Update install-staticdblibs.sh. Bogofilter will complain when used with older versions. 2008-01-05 * bf_compact problem fixed. Reported by Thomas Novin. 1.1.6 2007-11-25 (released) * Transaction support added for TokyoCabinet datastore. (thanks to Pierre Habouzit) * Bump required sqlite version to 3.4.2 and fix related compiler warnings. Bogofilter will complain when used with older versions. 2007-11-22 * Support for TokyoCabinet datastore added. (thanks to Pierre Habouzit) 2007-08-14 * doc/README.db was updated to BerkeleyDB 4.6 * doc/README.db: section 3.5 was added, with information on how to resolve "Logging region out of memory; you may need to increase its size", section 4.2 now documents set_lg_regionmax. 2007-07-23 * The upstream repository was migrated to SVN. In order to check the code out, use this command (one line): svn co https://bogofilter.svn.sourceforge.net/svnroot/bogofilter/trunk/bogofilter/ bogofilter 2007-07-22 * The install-staticdblibs.sh script was relicensed under GNU GPL v3, adjusted to download Berkeley DB 4.2 from oracle.com, adds patch #5, and updated to build SQLite 3.4.1. In order to for a rebuild of the updated library, do: rm -rf /opt/db-4.2-lean /opt/sqlite-3-lean and re-run the script. * The recommended minimum sqlite3 version is now 3.4.0, bogofilter will warn if used with older versions. Bugs that could cause database corruption in rare circumstances have been fixed in sqlite3. See doc/README.sqlite for details. * Updated sendmail milter contrib/bogofilter-milter.pl to v1.27 (thanks to Jonathan Kamens) 2007-02-25 * Add '--spam-header-place={header}' to specify header line before which the X-Bogosity line is placed. 2007-02-14 * Support --db-verify for sqlite3. * Fix defect where the database verification method would not be called for traditional Berkeley DB databases. Reported by Eric Wood. 2007-01-28 * Fix test suite for situations where there are blanks in the test or working directories' names. * Repair passthrough defect on systems whose standard system library makes a distinction between text and binary mode in stdio stuff. 1.1.5 2007-01-14 (released) 2007-01-25 (declared stable) * Fixed Makefile dependency problem. (reported by Andras Salamon) This took several iterations to get right. 2007-01-11 * Fixed block-on-subnets problem. (thanks to Jack Bailey) 2007-01-10 * Added block-on-subnets regression test. 1.1.4 2007-01-01 (released) * Update copyright notices. 2006-12-08 * Add GSL dependency to bogofilter target to support parallel makes. (reported by Martin von Gagern) 2006-12-05 * Fixed problem in flex-2.5.4 patch. (reported by Boris 'pi' Piwinger) 1.1.3 2006-12-03 (released) 2006-12-20 (declared stable) * Fixed typo in configure.ac. (reported by Boris 'pi' Piwinger and Torsten Veller) 1.1.2 2006-12-02 (released) 2006-12-01 * Revise install-staticlibs.sh's links for retrieving database tarball and patches. * Revise make rules for generating statically linked RPM. 2006-11-29 * Provide separate flex patches for 2.5.4 and 2.5.3x 2006-11-26 * Updated file comment for lexer_v3.l and removed unneeded rules T1, T12, SHORT_TOKEN, and TOKEN_12. * Miscellaneous minor cleanups of lexer_v3.l classes and rules. * Patch flex skeleton code problem which can cause a seg-fault. (reported by Michael Gerdau) 2006-11-21 * Fix processing of "--unicode=no" option. 2006-11-18 * Fix prefixes for ip address and url tokens. Restore colon that was dropped in token.c edit for bogofilter-1.1.0. 2006-11-04 * Fixed problem parsing message ids, which can cause a seg-fault on an x86_64. (reported by Torsten Veller) 2006-10-03 * Added '--ham-true' option for bogofilter (to match docs) 2006-08-26 * FAQ's updated to point to current sylpheed-claws wiki (thanks to Paul Mangan) 1.1.1 2006-08-23 (released) 2006-09-01 (declared stable) 2006-08-22 * Added bogofilter-faq-it.html, an Italian translation of the FAQ (thanks to Marco Bozzolan). 2006-08-10 * Fixed minor header/body multi-word token defect. 1.1.0 2006-08-09 (released)