related services currently down

Downtime notice

I am sorry to report that the mailing lists and web site hosted at addresses ending in are currently down.

We are working to restore these services.

In urgent matters, feel free to contact me through - but keep in mind that bogofilter is a volunteer-driven project, so support resources are limited.

In the meanwhile, the website and downloads remains online on sourceforge as and 1.2.4 continues to be the current release. It features these changes since 1.2.0 (the previously announced version):

1.2.4   2013-07-01 (released)

    * Fix three crashes in command line and environment variable parsers
      that caused NULL pointer dereferences with long option variants
      of bogofilter --syslog-tag, or bogoutil --timestamp-date, or when
      bogotune -M<file> cannot derive the bogofilter directory.
      Reported by Alexandre Rebert, found with Mayhem tool.

    * Add getopt_long_chk(), a getopt_long variant that checks if the
      overlapping short and long options agree on whether their argument
      is not required, mandatory, or optional.  If they disagree, the
      program aborts.

    * Fix a crash in command line parser that causes a NULL pointer
      dereference when --db-cachesize is used without argument.
      Found with getopt_long_chk().

    * Change lexer API/ABI a bit so as to work with flex 2.5.36 generated
      lexers (for instance, on Fedora 18 "Spherical Cow") that flip the
      type of yyleng from int to size_t. We use a signed long internally.

    * The bogofilter project was updated to the new
      platform. This has caused the URLs to change. Use one of these
      commands for a read-only checkout:
      svn checkout svn:// bogofilter
      svn checkout bogofilter

      And developers would use, replacing joe by their login:
      svn checkout --username=joe \
        svn+ssh:// bogofilter

    * Add bogofilter-SA-2012-01 (CVE-2012-5468).
    * Fix XML form of Bulgarian FAQ so that it validates;
      and validate XHTML at build time.
    * Mark Berkeley DB 5.2.42 and 5.3.21 supported.

1.2.3   2012-12-02 (released)

    * Update to avoid autoconf 2.68 warnings, by 
      (a) quoting the first AC_RUN_IFELSE argument, an
          AC_LANG_PROGRAM(), with [ ], and
      (b) providing an explicit "true" assumption for Berkeley DB
          capabilities to avoid cross-compilation warnings.

    * Security bugfix for CVE-2012-5468 (bogofilter-SA-2012-01):
      Fix a heap corruption in base64 decoder on invalid input.
      Analysis and patch by Julius Plenz <>.

    * Added bogofilter-faq-bg.html, a Bulgarian translation of the FAQ.
      (thanks to Albert Ward)

    * Mark "Berkeley DB 5.1.19: (August 27, 2010)" supported.

1.2.2   2010-07-08 (released)

    * Use a better PRNG for random sleeps. That is arc4random() where
      available, and drand48() elsewhere.

    * Assorted fixes for issues found with clang analyzer:
      + Fix a potential NULL deference
      + Fix a potential division by zero
      + Remove dead assignments and increments

    * Update Doxyfile and source contrib/bogogrep.c for docs, too.


    * Security bugfix, CVE-2010-2494:
      Fix a heap corruption in base64 decoder on invalid input.
      Analysis and patch by Julius Plenz <>.
      Please see doc/bogofilter-SA-2010-01 for details.


    * Updated sendmail milter contrib/ to v1.??????
      (thanks to Jonathan Kamens)


    * Bump supported/minimum SQLite3 versions and warning threshold.
      See doc/README.sqlite for details.

    * Mark BerkeleyDB 4.8.26 and 5.0.21 supported.

      Note that Berkeley DB 5.0's SQLite3 compatibility API is NOT
      supported, it causes shifts in scores and write failures under
      contention.  Bogofilter can use Berkeley DB 5.0's native interface, 
      and using that is more efficient than the added SQL shim layer.


    * Make t.maint more robust; ignore .ENCODING token. To fix test
      failures on, for instance, FreeBSD with unicode enabled.


    * Fix several compiler warnings "array subscript has type 'char'", by
      casting the arguments to unsigned char.
         A security audit was conducted and showed that all affected
      functions either received the relevant input from the user running
      bogofilter, or the input had already been pre-validated by the token


    * Split error messages for ENOENT and EINVAL into new function.
    * Avoid divison by zero in robx computation by checking if there are at
      least one ham message and one spam message registered.


    * contrib/ updated to version 0.4.0
      (thanks to Tom Anderson)


    * Updated and integrated Ted Phelps's "Patch to prevent .ENCODING from
      being discarded by bogoutil -m" (SourceForge Patch #1743984).
      Thanks to Ted for debugging the issue and providing the patch (which
      was for bogofilter v1.1.5).
Posted by Matthias Andree 2013-11-10

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks