[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spamassassin 3.1.8



On Tue, Feb 13, 2007 at 07:51:26PM -0800, Steve Langasek wrote:
> > 3.1.8 is a major bug-fix release, including the following issues:

> > - bug 5318: set a maximum internal length for URIs
> > - bug 5240: disable perl module usage in update channels unless
> >   --allowplugins is specified

> this one in particular seems like a behavior change that shouldn't be
> introduced into etch at this late stage of the freeze.

FWIW, this is more or less a security fix.

sa-update currently (without this change) will download rule updates
blindly from a trusted rule provider, and this can include new plugins
and thus new code. With this patch, rule providers will be unable to
provide new plugins, but as far as I know this doesn't affect any
known rule providers (certainly not the default spamassassin one), so
it won't break anything. It's basically to prevent a huge disaster if
a user uses a compromised or malicious rule provider.

I would actually like to backport this change as well if possible.

> > - bug 5056: remove Text::Wrap related code due to upstream issues

> hmm, also sounds like a risky change during a freeze.

This is a valid concern.

> So yes, a backport of the security fix would be appreciated.

Would you mind if I backported the fix to 5240 as well? (I'd provide a
URL with more info, but it's currently classified as a security issue
and restricted to the SA commiters.)

-- 
Duncan Findlay

Attachment: pgpfaL4ENP787.pgp
Description: PGP signature


Reply to: