[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spamassassin security update in Debian jessie LTS

On Sat, Feb 01, 2020 at 03:28:09PM +0000, Mike Gabriel wrote:
> So, I'd like to play the ball back to Noah. Do you think, that applying the
> security patches is sufficient for spamassassin in stretch/buster? Or have
> their been so many other fixes(TM) that justify an upstream backport to
> jessie/stretch/buster.

Fixes for the current CVEs are not difficult, and I should be able to
make an LTS upload soonish.  See

> Esp. I am thinking about future compatibilitiy with (upstream'ish) ruleset
> updates when those are performed on a Debian (old(old))stable system using
> sa-update.

The big concern would be upstream dropping support for SHA1 signatures
on rules updates.  However, since jessie has already been updated to
3.4.2, that should not be an issue.  Other changes are *mostly* gated on
plugin availability.  You may end up unable to take advantage of new
rules added via sa-update, but you won't necessarily break.

If you want new plugins to be available, then IMO you should probably be
making use of the backports repositories rather than security updates.

> For jessie, I will follow what Noah will be doing in stretch+buster, then.
> Valid point. Thanks for bringing it up again, Salvatore.

If you'd like to make a jessie upload based on that's in the
jessie-security branch on salsa, please be my guest.


Reply to: