Recommended versions of Perl modules?

Mark Martinec Mark.Martinec+amavis at ijs.si
Thu Aug 23 17:57:35 CEST 2012 

Ralf,

> At startup, my amavisd-new-2.8 reports:
> 
> Aug 21 13:22:08 mail amavis[17712]: Module Amavis::Conf        2.316
> Aug 21 13:22:08 mail amavis[17712]: Module Archive::Zip        1.30
> Aug 21 13:22:08 mail amavis[17712]: Module BerkeleyDB          0.49
> Aug 21 13:22:08 mail amavis[17712]: Module Compress::Zlib      2.033
> Aug 21 13:22:08 mail amavis[17712]: Module Convert::TNEF       0.17
> Aug 21 13:22:08 mail amavis[17712]: Module Convert::UUlib      1.4
> Aug 21 13:22:08 mail amavis[17712]: Module Crypt::OpenSSL::RSA 0.27
> Aug 21 13:22:08 mail amavis[17712]: Module DB_File             1.821
> Aug 21 13:22:08 mail amavis[17712]: Module Digest::MD5         2.51
> Aug 21 13:22:08 mail amavis[17712]: Module Digest::SHA         5.70
> Aug 21 13:22:08 mail amavis[17712]: Module Digest::SHA1        2.13
> Aug 21 13:22:08 mail amavis[17712]: Module Encode              2.42_01
> Aug 21 13:22:08 mail amavis[17712]: Module File::Temp          0.22
> Aug 21 13:22:08 mail amavis[17712]: Module IO::Socket::INET6   2.69
> Aug 21 13:22:08 mail amavis[17712]: Module MIME::Entity        5.502
> Aug 21 13:22:08 mail amavis[17712]: Module MIME::Parser        5.502
> Aug 21 13:22:08 mail amavis[17712]: Module MIME::Tools         5.502
> Aug 21 13:22:08 mail amavis[17712]: Module Mail::DKIM::Signer  0.39
> Aug 21 13:22:08 mail amavis[17712]: Module Mail::DKIM::Verifier 0.39
> Aug 21 13:22:08 mail amavis[17712]: Module Mail::Header        2.08
> Aug 21 13:22:08 mail amavis[17712]: Module Mail::Internet      2.08
> Aug 21 13:22:08 mail amavis[17712]: Module Mail::SPF           v2.008
> Aug 21 13:22:08 mail amavis[17712]: Module Mail::SpamAssassin  3.003002
> Aug 21 13:22:08 mail amavis[17712]: Module Net::DNS            0.66
> Aug 21 13:22:08 mail amavis[17712]: Module Net::Server         0.99
> Aug 21 13:22:08 mail amavis[17712]: Module NetAddr::IP         4.058
> Aug 21 13:22:08 mail amavis[17712]: Module Razor2::Client::Version 2.83
> Aug 21 13:22:08 mail amavis[17712]: Module Scalar::Util        1.23
> Aug 21 13:22:08 mail amavis[17712]: Module Socket              1.94
> Aug 21 13:22:08 mail amavis[17712]: Module Socket6             0.23
> Aug 21 13:22:08 mail amavis[17712]: Module Time::HiRes         1.972101
> Aug 21 13:22:08 mail amavis[17712]: Module URI                 1.59
> Aug 21 13:22:08 mail amavis[17712]: Module Unix::Syslog        1.1
> 
> Looking at the INSTALL document seems to suggest some versions:
> 
> Archive::Zip   (Archive-Zip-x.xx) (1.14 or later, currently 1.23)
> Compress::Zlib (Compress-Zlib-x.xx) (1.35 or later, currently 2.008)
> Compress::Raw::Zlib (Compress-Raw-Zlib) (2.017 or later)
> Convert::TNEF  (Convert-TNEF-x.xx)
> Convert::UUlib (Convert-UUlib-x.xxx) (1.08 or later, stick to new versions!)
> MIME::Base64   (MIME-Base64-x.xx)
> MIME::Parser   (MIME-Tools-x.xxxx) (latest version from CPAN - currently 5.425)
> Mail::Internet (MailTools-1.58 or later have workarounds for Perl 5.8.0 bugs)
> Net::Server    (Net-Server-x.xx) (version 0.88 finally does setuid right)
> Digest::MD5    (Digest-MD5-x.xx) (2.22 or later)
> IO::Stringy    (IO-stringy-x.xxx)
> Time::HiRes    (Time-HiRes-x.xx) (use 1.49 or later, older can cause problems)
> Unix::Syslog   (Unix-Syslog-x.xxx)
> BerkeleyDB     with bdb library (preferably 4.4.20 or later)
> Mail::DKIM     (Mail-DKIM-0.31 or later)

The 'currently' in INSTALL is largely outdated.
The listed minimal version is a version just beyond some serious
flaw was fixed.

> But for example Compress::Raw::Zlib, MIME::Base64 and IO::Stringy are
> not reported at all.

Will add the Compress::Raw::Zlib to the list. Generally it comes
bundled with Compress::Zlib, which is reported.

The MIME::Base64 and IO::String are just listed as pre-requisites,
no minimal version is prescribed, so I did not consider worth reporting
a version of such modules.

> Mail::DKIM on the other hand seems to be split into
> Mail::DKIM::Signer and Mail::DKIM::Verifier

Right, the Mail::DKIM is just an empty wrapper.
The Mail::DKIM::Signer and Mail::DKIM::Verifier generally
show the same version.

> Are these recommendations still valid (especially regarding the
> version numbers).

I'll brush the dust off the INSTALL a bit.
I can't think of some serious flaw in some module past the stated
minimal version that would directly affect amavisd, but I'm sure
there were more bugfixes in later versions.

Generally: read fresh release notes of modules in use,
consider if they sound like affecting amavisd or SpamAssassin,
and stick to recent versions.

> And: Is there an automatic check for "version at
> least xyz" built in?

There is a small handful of such test for the most critical
security flaws, but generally no.
Search for '->VERSION(' in amavisd.

  Mark

More information about the amavis-users mailing list