amavisd-new-2.7.1-rc1 release candidate

Mark Martinec Mark.Martinec+amavis at ijs.si
Tue Apr 10 20:30:08 CEST 2012 

The amavisd-new-2.7.1-rc1 is a release candidate for a bug-fix -only
update over the current stable version 2.7.0. All known bug fixes
have been backported from a development version (2.8.0).

Available at:
  http://www.ijs.si/software/amavisd/amavisd-new-2.7.1-rc1.tar.gz

Release notes:
  http://www.ijs.si/software/amavisd/release-notes.txt

Review and testing is welcome, the final 2.7.1 release is
expected in a week or so.



amavisd-new-2.7.1 release notes

BUG FIXES

- prevent rmdir() from failing with 'Invalid argument' on Solaris 10 when
  deleting a temporary directory: current working directory must not be
  within a directory which is about to be deleted; reported and diagnosed
  by Maciej Uhlig;

- forwarding or quarantining through a 'pipe:' method failed with
  "Insecure dependency in exec while running with -T switch" when a
  sendmail command-line option -N was needed; reported by Andreas Schulze;

- fix defanging by mimedefang, it was failing with perl 5.10 or later
  due to an unhandled "Insecure dependency in sprintf" while logging the
  result if the $log_level was 2 or higher, or when debugging was enabled;
  thanks to Steve Scotter for a problem report;

- fix defanging by Anomy::Sanitizer, it was failing with an error message:
  "mangling by anomy failed: replacement size 0, mail will pass unmodified";

- fix the 'xz' entry in a default @decoders list (in files amavisd.conf,
  amavisd.conf-default and amavisd); the first two variants ('xzdec' and
  'xz') were glued together, so the xz decoder was only available if found
  under names 'unxz' or 'xzcat';

- provide a workaround for a bug [rt.cpan.org #64642] in a perl module
  Encode, which gratuitously untaints a string when encoding or decoding it:
    https://rt.cpan.org/Public/Bug/Display.html?id=64642
    (still unfixed in Encode 2.44, perl 5.14.2);
  A module Scalar::Util is now required, which should not be a compatibility
  problem, as this module is a Perl core module since perl 5.8.0.

- avoid the use of Encode::is_utf8 due to a bug in a perl module Encode
  as bundled with versions of Perl 5.8.0 to 5.8.8 (fixed in March 2007):

  Perl bug tracking: #32687:
    Encode::is_utf8 on tainted UTF8 string returns false
    https://rt.perl.org/rt3/Public/Bug/Display.html?id=32687
  also referenced by #37170:
    https://rt.perl.org/rt3/Public/Bug/Display.html?id=37170

  This is a re-manifestation of the same problem we had back in 2004,
  with a workaround provided by amavisd-new-2.2.1.  Forgot that people
  are still using Perl 5.8 :)  Reported by Peter Dieth;

- fix a warning: _WARN: Invalid conversion in sprintf: "%a"

- write informational messages during a stop/start/restart to stdout,
  instead of to stderr, avoiding unnecessary cron job messages;
  thanks to Cristian Seres, Sandro Janke and John Griffiths;
  also: https://bugzilla.redhat.com/show_bug.cgi?id=561389 

- fix a syntactically incorrect 'Avira SAVAPI' av entry (missing
  closing bracket) in a sample configuration file amavisd.conf;

- minor: get_body_digest incorrectly logged 8-bit body as 8-bit header;

- no longer insist on a minimal version 2.22 of a module Digest::MD5,
  the 'clone' method is no longer needed since amavisd-new-2.7.0;

- do not call $parser->max_parts($MAXFILES) with some old versions
  of MIME::Parser which did not yet provide this method;

- pre-load a module File::Glob even with perl 5.8.0, otherwise
  autowhitelisting in SpamAssasssin may fail with "Insecure dependency";


COMPATIBILITY

- commented out the LHA entry in the default @decoders list and in
  do_executable(). The program seems to be unmaintained, was seen crashing
  and as such it may pose a security risk; pointed out by Thomas Jarosch;

- due to popular demand, bring the 'spam-tag:' log line back to log level 2
  (version 2.7.0 dropped it to log level 3) to retain compatibility with
  some log analyzers. Caveat: 'spam-tag' string is now entirely in lowercase.
  Suggested by Stefan Jakobs;


OTHER

- if a message is quarantined to more than one location using different
  quarantine methods, the SQL field msgs.quar_type indicates only the
  type of the last one. When archival quarantining is enabled this choice
  is unfortunate, as the primary quarantine type is more interesting
  than the permanent archival quarantine type. This is now reversed,
  the msgs.quar_type field now reflects the first quarantine type.
  Suggested by Patrick Ben Koetter.

- ClamAV-clamd and ClamAV-clamd-stream av scanners: changed socket name
  in a sample configuration file amavisd.conf to /var/run/clamav/clamd.sock
  (previously the socket name was /var/run/clamav/clamd); this makes it
  compatible with a default socket name under several Linux distributions
  and under FreeBSD; suggested by Oliver Schinagl;

- documentation updates;




Mark

More information about the amavis-users mailing list