...
 
Commits (22)
spamassassin (3.4.2-1) unstable; urgency=medium
Prior to version 3.4.2-1, spamd could be enabled by setting ENABLED=1 in
/etc/default/spamassassin. This pattern is discouraged Debian, is not
supported by the systemd unit file, and is considered
deprecated. Instead, please use the update-rc.d command, invoked for
example as "update-rc.d spamassassin enable", to enable the spamd
service.
-- Noah Meyerhans <noahm@debian.org> Sun, 23 Sep 2018 17:06:30 -0700
spamassassin (3.3.2-8) unstable; urgency=low
As of spamassassin 3.3.2-8, sa-compile has been split into its own
......
spamassassin (3.4.2-1~deb9u1) stable-security; urgency=medium
* Backport 3.4.2-1 to stretch.
-- Noah Meyerhans <noahm@debian.org> Fri, 26 Oct 2018 08:12:52 -0700
spamassassin (3.4.2-1) unstable; urgency=medium
* New upstream release fixes multiple security vulnerabilities
- CVE-2017-15705: Denial of service issue in which certain unclosed
tags in emails cause markup to be handled incorrectly leading to
scan timeouts.
scan timeouts. (Closes: 908969)
- CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
script.
- CVE-2018-11780: potential Remote Code Execution bug with the
PDFInfo plugin.
PDFInfo plugin. (Closes: 908970)
- CVE-2018-11781: local user code injection in the meta rule syntax.
(Closes: 908971)
- BayesStore: bayes_expire table grows, remove_running_expire_tok not
called (Closes: 883775)
- Fix use of uninitialized variable warning in PDFInfo.pm
(Closes: 865924)
- Fix "failed to parse plugin" error in
Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
* Don't recursively chown /var/lib/spamassassin during postinst.
(Closes: 889501)
-- Noah Meyerhans <noahm@debian.org> Mon, 17 Sep 2018 23:44:06 -0700
* Reload spamd after compiling rules in sa-compile.postinst.
* Preserve locally set ENABLED=1 setting from /etc/default/spamassassin
when installing on systemd-based systems. (Closes: 884163, 858457)
* Update SysV init script to cope with upstream's change to $0.
* Remove compiled rules upon removal of the sa-compile package.
* Ensure that /var/lib/spamassassin/compiled doesn't change modes with
the cron job's execution. (Closes: 890650)
* Update standards version to 4.2.1
* Create /var/lib/spamassassin via dpkg, rather than the postinst.
(Closes: 891833)
-- Noah Meyerhans <noahm@debian.org> Sun, 30 Sep 2018 23:44:58 -0700
spamassassin (3.4.1-8) unstable; urgency=medium
......@@ -26,7 +49,7 @@ spamassassin (3.4.1-8) unstable; urgency=medium
* Add Multi-Arch: foreign headers to package definitions (Closes:
#850454)
* Update standards version to 4.1.0.0
* Remove references to the obsolte syslog.target dependency in the
* Remove references to the obsolete syslog.target dependency in the
systemd service file.
* Clarify the use of the perl-major-upgrade dpkg trigger.
* Fix spamd service manage on upgrades. (Closes: #865356)
......
......@@ -5,7 +5,7 @@ Maintainer: Noah Meyerhans <noahm@debian.org>
Build-Depends: debhelper, perl, libssl-dev, libhtml-parser-perl,
libnet-dns-perl, libnetaddr-ip-perl, debhelper (>= 9.20160709),
libberkeleydb-perl, netbase
Standards-Version: 4.1.0.0
Standards-Version: 4.2.1.0
Homepage: https://www.spamassassin.org/
Vcs-Git: https://salsa.debian.org/debian/spamassassin.git
Vcs-Browser: https://salsa.debian.org/debian/spamassassin
......@@ -17,7 +17,8 @@ Multi-Arch: foreign
Depends: perl, libhtml-parser-perl, libsocket6-perl, adduser,
libsys-hostname-long-perl, libarchive-tar-perl, libnet-dns-perl,
libnetaddr-ip-perl, libhttp-date-perl, libmail-dkim-perl,
lsb-base (>= 3.0-6), libwww-perl | curl | w3m, ${misc:Depends}
lsb-base (>= 3.0-6), libwww-perl | curl | w3m,
init-system-helpers (>= 1.51), ${misc:Depends}
Recommends: spamc, sa-compile, libmail-spf-perl,
libsys-syslog-perl, gnupg, libio-socket-inet6-perl
Suggests: razor, libio-socket-ssl-perl, libdbi-perl, pyzor,
......
......@@ -127,10 +127,11 @@ binary-indep: build-indep install-indep
dh_installdocs -i
dh_installexamples -i
dh_systemd_enable -i --no-enable
dh_installinit -i --no-start -- defaults 19 21
dh_installinit -i --no-enable --no-start
dh_systemd_start -i --no-start
dh_installcron -i
dh_installchangelogs Changes -i
dh_lintian
dh_link -i
dh_compress -i -XGPG.KEY
dh_fixperms -i
......@@ -144,7 +145,7 @@ binary-indep: build-indep install-indep
build-arch: build-arch-stamp
#build-arch-stamp: configure debian/po/templates.pot
build-arch-stamp: configure
build-arch-stamp: configure-stamp
dh_testdir
......@@ -158,7 +159,7 @@ build-arch-stamp: configure
touch build-arch-stamp
install-arch: DH_OPTIONS=
install-arch: build-arch
install-arch: build-arch-stamp
dh_testdir
dh_testroot
dh_prep
......@@ -166,7 +167,7 @@ install-arch: build-arch
cp spamc/spamc debian/spamc/usr/bin/spamc
binary-arch: build-arch install-arch
binary-arch: build-arch-stamp install-arch
dh_testdir -a
dh_testroot -a
dh_installdocs -a
......
......@@ -8,6 +8,17 @@ sa_compile() {
if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile ]; then
echo "Running sa-compile (may take a long time)"
su - $OWNER -c "sa-compile --quiet"
# Fixup perms -- group and other should be able to
# read and execute, but never write. Works around
# sa-compile's failure to obey umask.
runuser -u debian-spamd -- \
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
if command -v invoke-rc.d >/dev/null 2>&1; then
invoke-rc.d --quiet spamassassin status > /dev/null && \
invoke-rc.d spamassassin reload > /dev/null 2>&1 || true
else
/etc/init.d/spamassassin reload > /dev/null 2>&1 || true
fi
fi
}
......
......@@ -42,7 +42,8 @@ do_compile() {
# Fixup perms -- group and other should be able to
# read and execute, but never write. Works around
# sa-compile's failure to obey umask.
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
runuser -u debian-spamd -- \
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
fi
}
......
......@@ -4,11 +4,10 @@
# WARNING: please read README.spamd before using.
# There may be security risks.
# If you're using systemd (default for jessie), the ENABLED setting is
# not used. Instead, enable spamd by issuing:
# systemctl enable spamassassin.service
# Change to "1" to enable spamd on systems using sysvinit:
ENABLED=0
# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.
# Options
# See man spamd for possible options. The -d option is automatically added.
......
......@@ -8,3 +8,4 @@ usr/share/doc/spamassassin/rules
usr/share/spamassassin
usr/share/man/man8
usr/sbin
/var/lib/spamassassin
......@@ -5,7 +5,6 @@ UPGRADE
USAGE
NOTICE
#ldap/README
rules/STATISTICS*.txt
#spamd/README
spamd/README.vpopmail
sql/
......@@ -26,7 +26,6 @@ export TMPDIR=/tmp
# Apparently people have trouble if this isn't explicitly set...
# Defaults - don't touch, edit /etc/default/spamassassin
ENABLED=0
OPTIONS=""
NICE=
......@@ -36,6 +35,9 @@ test -f /etc/default/spamassassin && . /etc/default/spamassassin
DOPTIONS="-d --pidfile=$PIDFILE"
# Note: check_enabled should go away as soon as possible after the
# next stable release to complete the transition away from using
# ENABLED=1 in /etc/default/spamassassin
check_enabled() {
if [ "$ENABLED" = "0" ]; then
echo "$DESC: disabled, see /etc/default/spamassassin"
......@@ -51,30 +53,30 @@ case "$1" in
start)
check_enabled
echo -n "Starting $DESC: "
start-stop-daemon --start --pidfile $PIDFILE --name $DAEMON \
start-stop-daemon --start --pidfile $PIDFILE --name $NAME \
$NICE --oknodo --startas $DAEMON -- $OPTIONS $DOPTIONS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --pidfile $PIDFILE --name $DAEMON --oknodo
start-stop-daemon --stop --pidfile $PIDFILE --name $NAME --oknodo
echo "$NAME."
;;
reload|force-reload)
check_enabled
echo -n "Reloading $DESC: "
start-stop-daemon --stop --pidfile $PIDFILE --signal HUP --name $DAEMON
start-stop-daemon --stop --pidfile $PIDFILE --signal HUP --name $NAME
echo "$NAME."
;;
restart)
check_enabled
echo -n "Restarting $DESC: "
start-stop-daemon --stop --pidfile $PIDFILE --name $DAEMON \
start-stop-daemon --stop --pidfile $PIDFILE --name $NAME \
--retry 5 --oknodo
start-stop-daemon --start --pidfile $PIDFILE --name $DAEMON \
start-stop-daemon --start --pidfile $PIDFILE --name $NAME \
$NICE --oknodo --startas $DAEMON -- $OPTIONS $DOPTIONS
echo "$NAME."
......
# These will go away as soon as we've cleanly transitioned from ENABLED=1
init.d-script-should-always-start-service
duplicate-updaterc.d-calls-in-postinst
......@@ -11,9 +11,8 @@ if [ "$1" = "configure" ]; then
# If a new install, or an upgrade from 3.3.2-2 or earlier...
if ! getent passwd debian-spamd > /dev/null ; then
adduser --system --group --shell /bin/sh --disabled-password \
--home /var/lib/spamassassin debian-spamd
else
mkdir -p /var/lib/spamassassin
--home /var/lib/spamassassin --no-create-home \
debian-spamd
fi
OWNER=$(stat -c '%U' /var/lib/spamassassin)
......@@ -44,8 +43,45 @@ fi
#DEBHELPER#
# Note: the following mess should go away as soon as possible after
# the next stable release to complete the transition away from using
# ENABLED=1 in /etc/default/spamassassin
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || \
[ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
set +e
invoke-rc.d --query spamassassin start
code=$?
set -e
ENABLED=0
if [ -f /etc/default/spamassassin ]; then
. /etc/default/spamassassin
fi
if [ $code -eq 104 ] && \
! command -v systemctl > /dev/null ; then
# We're not using systemd and thus may have some sysvinit cleanup
# to do in order to comply with policy 9.3.3.1
if [ -z "$ENABLED" -o "$ENABLED" = 0 ]; then
# The rc?d symlinks are inconsistent with the value set in
# /etc/default/spamassassin. Update the symlinks to
# reflect the actual state.
update-rc.d -f spamassassin remove
update-rc.d -f spamassassin defaults-disabled
deb-systemd-helper disable spamassassin.service
fi
elif [ $code -eq 101 ] && \
command -v systemctl > /dev/null && \
[ $ENABLED -eq 1 ]; then
# We're running on a systemd system, and the service is not
# configured to start (the default), but the admin has
# previously enabled it via
# /etc/default/spamassassin. Preserve that configuration.
deb-systemd-helper enable spamassassin.service
fi
fi
if [ "$1" = "configure" ] && [ -n "$2" ]; then
if deb-systemd-helper was-enabled spamassassin.service > /dev/null; then
if deb-systemd-helper was-enabled spamassassin.service > /dev/null 2>&1; then
invoke-rc.d spamassassin restart
fi
fi
......@@ -32,6 +32,15 @@ install|upgrade)
rm_conffile spamassassin "/etc/logcheck/ignore.d.paranoid/spamassassin"
rm_conffile spamassassin "/etc/logcheck/violations.ignore.d/spamassassin"
fi
if dpkg --compare-versions "$2" lt-nl "3.4.2" &&
! command -v systemctl > /dev/null; then
# spamd changed its process name in 3.4.2. If we're running a
# previous version under sysvinit, we need to stop the old
# version
start-stop-daemon --stop --oknodo \
--pidfile /var/run/spamd.pid \
--name /usr/sbin/spamd
fi
esac
#DEBHELPER#