================= BOGOFILTER NEWS ================= !!!!!!!! READ THE RELEASE.NOTES !!!!!!!! This file is in Unicode charset, with UTF-8 encoding. Sections headed '[Incompat ]' and '[Major ]' are particularly important. They describe changes that are incompatible with earlier releases or are significantly different. !!!!!!!! READ THE RELEASE.NOTES !!!!!!!! ------------------------------------------------------------------------------- 1.2.5 2019-10-11 * Release bogofilter 1.2.5. 1.2.5.RC1 2019-09-08 * Release candidate #1 for bogofilter 1.2.5. * Add a file "OBITUARY" to inform the bogofilter community that and how David M. Relson has passed away in 2013. * Matthias Andree has been maintainer since. 2019-08-04 * Const-ness fix initiated for KyotoCabinet driver (fixing a const qualifier warning there) also improves performance in some "full-database" operations for LMDB and SQLite3, through reduced memory allocation and copy operations. 2019-06-21 * Plugged more memory leaks (one-shot leaks in bogoutil/bogotune). * RPMs or scripts for static library builds have been removed. Bogofilter no longer supports systems that are too far out of date. This removes .spec files from the package (for now, it is still built during ./configure), disables "make rpm", and drops the install-staticdblibs.sh script, and removes "--enable-static" support from ./configure. 2019-05-19 * Bogofilter's source code repository has been converted to Git, and is hosted on GitLab and mirrored onto SourceForge.net. In contrast to Subversion (SVN), the prior system, Git is a distributed open-source version control system and has gained a lot of ground over the past years, and is solid and scales well. 2018-07-19 * Support for using LMDB (Lightning Memory-Mapped Database Manager) as the database back-end. Suggested, courteously implemented and contributed by Steffen Nurpmeso, steffen .at. sdaoden.eu. 2018-07-17 * The Berkeley DB backend driver forgoes DB_NOSYNC in transactional mode, so as to synchronize changes from the logs back into the .db files to keep them up to date and make environments more robust against a loss of log.* files, for instance, when moving databases. 2017-09-18 * The contrib/spamitarium.pl, originally written by Thomas 'Tom' Anderson, was enhanced by Jonathan Kamens and grew a few features. Run perldoc contrib/spamitarium.pl, or spamitarium.pl -h, to read its manual. 2016-01-26 * Apply patch from Denny Lin, with one fix, to add support for the KyotoCabinet embedded database library. To enable, install KyotoCabinet including the development files, and run configure --with-database=kyotocabinet when building bogofilter. Thanks! * Apply patch from Denny Lin to plug a few memory leaks in bogofilter's TokyoCabinet implementation, contributed through the bogofilter-dev mailing list. Thanks! 2015-10-10 * Fix build with C89 compilers. * Fix several memory leaks. * Fix an out-of-bounds memory read in maint.c's discard_token(). Found with clang 3.6's address sanitizer. 2015-02-28 * Fix the lexer to not try to delete parts from HTML tokens if it is reading garbage (for instance, binary files misdeclared as HTML). This was exposed on Fedora 20 and 21 but not Ubuntu 14.04 (x86_64), and is possibly related to its newer flex 2.5.37 that may have changed the way it uses yyinput() a bit. Reported by Matt Garretson. 2015-02-25 * Fix the lexer to handle MIME multipart messages properly when the boundary ended in "--". The parser would previously never find the MIME parts because it mistook all boundaries ending in two dashes to be the final boundary of the multipart, rather than checking if the two dashes were extra. Add a test case, t.lexer.boundary--. Reported by Matt Garretson to the bogofilter mailing list today. 2014-07-10 * Take patch from Julius Plenz to fix a bug in the charset converter that causes truncation of messages in pass-through mode in rare circumstances, for instance, if binary data is misdeclared as text/html. Also add his test case, t.passthrough-truncation. 2013-11-30 * Updated autoconf/automake stuff so that tests work properly with automake versions that default to running parallel-tests. 2013-07-06 * Relicensed all security announcements under a dual-license, at the user's option, to ease distribution without repackaging: - Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0) - GNU General Public License v3 or newer (GPL v3+). 1.2.4 2013-07-01 (released) 2013-06-28 * Fix three crashes in command line and environment variable parsers that caused NULL pointer dereferences with long option variants of bogofilter --syslog-tag, or bogoutil --timestamp-date, or when bogotune -M cannot derive the bogofilter directory. Reported by Alexandre Rebert, found with Mayhem tool. * Add getopt_long_chk(), a getopt_long variant that checks if the overlapping short and long options agree on whether their argument is not required, mandatory, or optional. If they disagree, the program aborts. * Fix a crash in command line parser that causes a NULL pointer dereference when --db-cachesize is used without argument. Found with getopt_long_chk(). 2013-01-20 * Change lexer API/ABI a bit so as to work with flex 2.5.36 generated lexers (for instance, on Fedora 18 "Spherical Cow") that flip the type of yyleng from int to size_t. We use a signed long internally. 2012-12-30 * The bogofilter project was updated to the new SourceForge.net platform. This has caused the URLs to change. Use one of these commands for a read-only checkout: svn checkout svn://svn.code.sf.net/p/bogofilter/code/trunk bogofilter svn checkout http://svn.code.sf.net/p/bogofilter/code/trunk bogofilter And developers would use, replacing joe by their sf.net login: svn checkout --username=joe \ svn+ssh://svn.code.sf.net/p/bogofilter/code/trunk bogofilter 2012-12-03 * Add bogofilter-SA-2012-01 (CVE-2012-5468). * Fix XML form of Bulgarian FAQ so that it validates; and validate XHTML at build time. * Mark Berkeley DB 5.2.42 and 5.3.21 supported. 1.2.3 2012-12-02 (released) 2012-10-24 * Update configure.ac to avoid autoconf 2.68 warnings, by (a) quoting the first AC_RUN_IFELSE argument, an AC_LANG_PROGRAM(), with [ ], and (b) providing an explicit "true" assumption for Berkeley DB capabilities to avoid cross-compilation warnings. 2012-10-22 * Security bugfix for CVE-2012-5468 (bogofilter-SA-2012-01): Fix a heap corruption in base64 decoder on invalid input. Analysis and patch by Julius Plenz . 2011-01-02 * Added bogofilter-faq-bg.html, a Bulgarian translation of the FAQ. (thanks to Albert Ward) 2010-10-29 * Mark "Berkeley DB 5.1.19: (August 27, 2010)" supported. 1.2.2 2010-07-08 (released) 2010-07-05 * Use a better PRNG for random sleeps. That is arc4random() where available, and drand48() elsewhere. * Assorted fixes for issues found with clang analyzer: + Fix a potential NULL deference + Fix a potential division by zero + Remove dead assignments and increments * Update Doxyfile and source contrib/bogogrep.c for docs, too. 2010-07-03 * Security bugfix, CVE-2010-2494: Fix a heap corruption in base64 decoder on invalid input. Analysis and patch by Julius Plenz . Please see doc/bogofilter-SA-2010-01 for details. 2010-04-07 * Updated sendmail milter contrib/bogofilter-milter.pl to v1.?????? (thanks to Jonathan Kamens) 2010-04-01 * Bump supported/minimum SQLite3 versions and warning threshold. See doc/README.sqlite for details. * Mark BerkeleyDB 4.8.26 and 5.0.21 supported. Note that Berkeley DB 5.0's SQLite3 compatibility API is NOT supported, it causes shifts in scores and write failures under contention. Bogofilter can use Berkeley DB 5.0's native interface, and using that is more efficient than the added SQL shim layer. 2010-03-06 * Make t.maint more robust; ignore .ENCODING token. To fix test failures on, for instance, FreeBSD with unicode enabled. 2010-02-15 * Fix several compiler warnings "array subscript has type 'char'", by casting the arguments to unsigned char. A security audit was conducted and showed that all affected functions either received the relevant input from the user running bogofilter, or the input had already been pre-validated by the token lexer. 2010-02-14 * Split error messages for ENOENT and EINVAL into new function. * Avoid divison by zero in robx computation by checking if there are at least one ham message and one spam message registered. 2009-08-13 * contrib/spamitarium.pl updated to version 0.4.0 (thanks to Tom Anderson) 2009-08-05 * Updated and integrated Ted Phelps's "Patch to prevent .ENCODING from being discarded by bogoutil -m" (SourceForge Patch #1743984). Thanks to Ted for debugging the issue and providing the patch (which was for bogofilter v1.1.5). 2009-09-15 * Promoted to "stable" 1.2.1 2009-08-01 (released) 2009-08-01 * Update configure to use "host" rather than "target", to match the newer autotools cross-build semantics. Untested. Developers changing the build system and users who build from SVN will now need automake 1.9 and autoconf 2.60. 2009-07-31 * Fix Christian Frommeyer's MIME decoding bug, Ubuntu/Launchpad Bug #320829. As a side effect, also fixes misattribution of MIME bodies as MIME headers with mime: tag. Original bug report: https://bugs.launchpad.net/ubuntu/+source/bogofilter/+bug/320829 Before this fix, bogofilter did not properly MIME-decode the first line in a body. This was especially bad with Christian's samples where the whole body was only one long base64 line. 2009-05-28 * Removed two scripts that are auto-built. * Added test case for Stephen Davies' Q-P EOL problem (see below). 2009-05-25 * Fixed EOL problem in quoted_printable text. Problem reported by Stephen Davies and identified by Pavel Kankovsky. 2009-03-28 * Promoted to "stable" 1.2.0 2009-02-21 (released) 2009-03-28 (declared stable) 2009-02-20 * Flex-2.5.35 has fix for memory allocation problem in 2.5.4, 2.5.31, and 2.5.33, making bogofilter's flex patch obsolete. 2009-02-12 * Bogofilter now uses listsort in place of qsort. 2009-01-31 * Added token-count=n, token-count-min=n, and token-count-max=n options. * Minor code cleanups. 2009-01-21 * spamitarium.pl updated to version 0.3.0 (thanks to Tom Anderson) 2009-01-11 * For compatibility with Sun's Sun Studio 12 compiler, provide a name for the anonymous union in typedef word_t. Patch provided by Jack Bailey. 2008-10-20 * update bf_compact documentation by removing explicit Berkeley DB references, as it has been fixed to work with other database drivers in March 2008. 2008-10-15 * bf_compact, bf_copy and bf_tar now support transformed program names (fixes Debian Bug#501947). * Update sqlite3 adaptor to take advantage of sqlite3_prepare_v2() API function that appeared in SQLite 3.3.9. The new _v2 interface allows for more specific error messages when executing SQL statements. Also enable extended result codes for more precise error reporting. 2008-07-21 * Update doc/integrating-with-postfix: the script now suggests sendmail -G -i (where -G will be ignored by Postfix before 2.3) to tell Postfix it's a gateway submission, not an original injection; the filter pipe(8) magic for master.cf now suggests flags=Rq (was flags=R), as per Postfix's FILTER_README. 2008-07-09 * Drop support for systems that reverse setvbuf arguments. The last systems to do that are reported to be shipped in 1987 by the autoconf manual, so ditch them. 1.1.7 2008-05-04 (released) 2008-05-18 (declared stable) 2008-04-30 * Updated sendmail milter contrib/bogofilter-milter.pl to v1.45 (thanks to Jonathan Kamens) 2008-04-28 * Added maildir training info to English and French FAQs. (thanks to Karl Schmidt and to Mouss) 2008-04-26 * Fix uninitialized variable in lexer.c when unicode is disabled. Patch provided by Roman Trunov. 2008-04-20 * In process_arg functions use the val parameter rather than optarg. Patch provided by Roman Trunov. 2008-04-18 * Function process_arg now has the same prototype for bogofilter, bogolexer, bogoutil, and bogotune. The proper version is called by function read_config_file for all programs. Problem reported by Roman Trunov. 2008-04-17 * Update Doxyfile for doxygen v1.5.5 2008-04-16 * Fixed syntax errors in t.valgrind test 2008-03-21 * bf_compact now supports compacting databases that use QDBM, Tokyo Cabinet or SQLite3 and is covered by the test suite. 2008-03-19 * bf_compact now verifies databases before dumping them, to avoid getting into an unterminated loop and wasting all diskspace. * Bogoupgrade now verifies databases before dumping them, to avoid getting into an unterminated loop and burning all memory or disk space when the database is corrupt. This should fix Debian Bug#226643 and Debian Bug#226646. * Bogoupgrade now uses Pod::Usage to print usage/help, prints error messages that are a bit more concise and validates arguments a bit stricter. 2008-02-08 * Bump required sqlite version to 3.5.4, earlier versions could sometimes corrupt the database. Update install-staticdblibs.sh. Bogofilter will complain when used with older versions. 2008-01-05 * bf_compact problem fixed. Reported by Thomas Novin. 1.1.6 2007-11-25 (released) * Transaction support added for TokyoCabinet datastore. (thanks to Pierre Habouzit) * Bump required sqlite version to 3.4.2 and fix related compiler warnings. Bogofilter will complain when used with older versions. 2007-11-22 * Support for TokyoCabinet datastore added. (thanks to Pierre Habouzit) 2007-08-14 * doc/README.db was updated to BerkeleyDB 4.6 * doc/README.db: section 3.5 was added, with information on how to resolve "Logging region out of memory; you may need to increase its size", section 4.2 now documents set_lg_regionmax. 2007-07-23 * The upstream repository was migrated to SVN. In order to check the code out, use this command (one line): (OBSOLETE) svn co https://bogofilter.svn.sourceforge.net/svnroot/bogofilter/trunk/bogofilter/ bogofilter (see entry for 2012-12-30 for updated URL) 2007-07-22 * The install-staticdblibs.sh script was relicensed under GNU GPL v3, adjusted to download Berkeley DB 4.2 from oracle.com, adds patch #5, and updated to build SQLite 3.4.1. In order to for a rebuild of the updated library, do: rm -rf /opt/db-4.2-lean /opt/sqlite-3-lean and re-run the script. * The recommended minimum sqlite3 version is now 3.4.0, bogofilter will warn if used with older versions. Bugs that could cause database corruption in rare circumstances have been fixed in sqlite3. See doc/README.sqlite for details. * Updated sendmail milter contrib/bogofilter-milter.pl to v1.27 (thanks to Jonathan Kamens) 2007-02-25 * Add '--spam-header-place={header}' to specify header line before which the X-Bogosity line is placed. 2007-02-14 * Support --db-verify for sqlite3. * Fix defect where the database verification method would not be called for traditional Berkeley DB databases. Reported by Eric Wood. 2007-01-28 * Fix test suite for situations where there are blanks in the test or working directories' names. * Repair passthrough defect on systems whose standard system library makes a distinction between text and binary mode in stdio stuff. 1.1.5 2007-01-14 (released) 2007-01-25 (declared stable) * Fixed Makefile dependency problem. (reported by Andras Salamon) This took several iterations to get right. 2007-01-11 * Fixed block-on-subnets problem. (thanks to Jack Bailey) 2007-01-10 * Added block-on-subnets regression test. 1.1.4 2007-01-01 (released) * Update copyright notices. 2006-12-08 * Add GSL dependency to bogofilter target to support parallel makes. (reported by Martin von Gagern) 2006-12-05 * Fixed problem in flex-2.5.4 patch. (reported by Boris 'pi' Piwinger) 1.1.3 2006-12-03 (released) 2006-12-20 (declared stable) * Fixed typo in configure.ac. (reported by Boris 'pi' Piwinger and Torsten Veller) 1.1.2 2006-12-02 (released) 2006-12-01 * Revise install-staticlibs.sh's links for retrieving database tarball and patches. * Revise make rules for generating statically linked RPM. 2006-11-29 * Provide separate flex patches for 2.5.4 and 2.5.3x 2006-11-26 * Updated file comment for lexer_v3.l and removed unneeded rules T1, T12, SHORT_TOKEN, and TOKEN_12. * Miscellaneous minor cleanups of lexer_v3.l classes and rules. * Patch flex skeleton code problem which can cause a seg-fault. (reported by Michael Gerdau) 2006-11-21 * Fix processing of "--unicode=no" option. 2006-11-18 * Fix prefixes for ip address and url tokens. Restore colon that was dropped in token.c edit for bogofilter-1.1.0. 2006-11-04 * Fixed problem parsing message ids, which can cause a seg-fault on an x86_64. (reported by Torsten Veller) 2006-10-03 * Added '--ham-true' option for bogofilter (to match docs) 2006-08-26 * FAQ's updated to point to current sylpheed-claws wiki (thanks to Paul Mangan) 1.1.1 2006-08-23 (released) 2006-09-01 (declared stable) 2006-08-22 * Added bogofilter-faq-it.html, an Italian translation of the FAQ (thanks to Marco Bozzolan). 2006-08-10 * Fixed minor header/body multi-word token defect. 1.1.0 2006-08-09 (released) * Revised FAQ's mailbox conversion example. 2006-07-26 * 1.0.3 Promoted to "Stable" status 2006-07-24 * Forward port GNU make compatibility fix for doc/Makefile* from 1.0 branch. 2006-07-08 * Add large file support for 32-bit systems. (_FILE_OFFSET_BITS/_LARGE_FILE). * Fix lexer_v3.l format string mismatch that broke debugging code on 64-bit systems. 2006-07-04 * Add multi-word token support to bogoutil & bogotune. 2006-07-03 * Clean up token prefixing. * Clean up queue-id processing. * Add max-multi-token-len checks. * Revised function names. get_token() uses parse_new_token(), add_token_to_array(), build_token_from_array(), and build_prefixed_token(). 2006-07-02 * Add min-token-len check (with exemption for 2 character money amounts which bogofilter has long accepted). * Add "short token" pattern to lexer 2006-07-01 * Refactor get_token. Function get_single_token is the original get_token function. Function get_multi_token calls get_single_token when another token must be parsed, else it constructs multi-part tokens using w_token_array (an array of word_t structs). 2006-06-20 * Add options for min/max token length, multi-token count, and max multi-token length. * Modify get_token() to return multi-word tokens. 1.0.3 2006-07-10 (released) 2006-07-26 (declared stable) * Released 1.0.3 to provide the bogotune bugfixes to a wider audience. 2006-07-09 * Work around GNU make 3.81 incompatibility in doc/Makefile* (it does not work properly with "}\" at the line ends, but wants "} \" instead). 2006-06-02 * "make rpm" changes: - document use with gpg-agent (see Makefile.am) - build static RPMs (these won't fail) before shared RPMs 2006-05-29 * #include cleanups in common.h, system.h and C files. 2006-04-28 * Updated copyright dates. 2006-04-13 * Included additional config file options in bogofilter's --help message. 2006-03-27 * Corrected option parsing in bogotune to support -n ham1 ham2 -s spam1 spam2 as suggested by bogotune -h; broken since 0.93.2. 2006-03-26 * Corrected problem with bogotune's -D option (thanks to Jason Smith). * Corrected man page description of bogotune's -n and -s options. 2006-03-17 * Fixed bf_compact's test for transactional environment. 2006-03-12 * 1.0.2 Promoted to "Stable" status 1.0.2 2006-03-03 (released) 2006-02-19 * Added vm-bogofilter.el for using bogofilter with VM, an Emacs mail tool (thanks to Björn Knutsson). * Added FAQ question "How do I use bogofilter with VM (an Emacs mail tool)?" (thanks to Pimpon). 2006-02-14 * SleepyCat has been acquired by Oracle, who are now providing Berkeley DB. Since most of the references are to actual strings in the programs or addresses that remain unchanged, this will only gradually show in the bogofilter sources and documentation. 2006-02-06 * Flush output after writing spam header line and/or message body. * When database is near to maximum allowed size, allow reading it and disallow writing to it. 2006-01-30 * Fix formatting of Rtable output when in the message header, this keeps verbose passthrough modes RFC-822/2822 compliant. 2006-01-29 * The configure script, when checking Berkeley DB capabilities, now checks for logging and transactional subsystems rather than the locking subsystem that was abandoned before 1.0.0. This appears a suitable workaround for configure lockups on OpenBSD 3.7 macppc with db 4.2 or 4.3. 2006-01-28 * Only print Berkeley DB file size message once per run. 2006-01-21 * 1.0.1 Promoted to "Stable" status 2006-01-02 * Fixed --input-file and --output-file command line options. 2006-01-01 * Added CVE-2005 identifiers for defects described in doc/bogofilter-SA-2005-01 1.0.1 2006-01-01 (released) * New names for binary rpms: bogofilter-db42 - requires shared library for DB-4.2.52 bogofilter-db42-static - statically linked with DB-4.2.52 bogofilter-sqlite3 - requires shared library for SQLite3-3.2.8 bogofilter-sqlite3-static - statically linked with SQLite3-3.2.8 2005-12-30 * The configure help texts have been revised, the IEEE checks for trio have been simplified (they are no longer nested) and configure.ac has been updated to quiet autoconf -Wobsolete warnings. The README file now reflects the new requirements. 2005-12-29 * For maintainers: Add install-staticdblibs.sh, a script to fetch and build static & lean BerkeleyDB 4.2.52.4 and SQLite 3.2.8 libraries. Modify some parts of the RPM building so that the binary RPMs are built without external dependencies beyond glibc 2.2. This may render "make rpm" unusable on non-Linux platforms, but you should still be able to "rpmbuild -tb" from the source .tar.gz file. 2005-12-27 * Add '-O' option to direct bogoutil output to a file. * Fix building of binary rpms with SQLite support. * Include SQLite binary rpm as standard part of "make rpm" 2005-12-26 * Split NEWS file into files NEWS and NEWS.0 for new (version 1.0 and after) and old (version 0.x.y) info 2005-12-25 * Capitalize variables in bogofilter.spec.in to please RH9's RPM 4.2 implementation. 2005-12-18 * Fix bad return code in db_loop() in datastore_sqlite.c (reported by Sami Farin). 2005-12-17 * XML documentation cleanups (thanks to Nicholas Kaiser). 2005-12-06 * bogofilter.cf.example was updated to reflect the proper default of db_log_autoremove=yes. It previously claimed the default were "off". 1.0.0 2005-11-30 (released) Release history prior to 1.0.0 is in file NEWS.0 vim:tw=79 com=bf\:* ts=8 sts=8 sw=8 ai: LocalWords: bogofilter bogolexer bogoutil Spamicity spamicity LocalWords: procmail maildrop