The apache team have released an update to the popular webserver. This updates concerns several security fixes and I would advise you to upgrade your server accordingly. I’ve tested and updated all my server without any problem. Read all about the changes and bugs fixed in the 2.2.15 changelog.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Timo released another bugfix to Dovecot, mbox users really should upgrade, because by sending a message with a huge header you could basically cause a DoS (this problem exists only with v1.2.x, not with v1.0 or v1.1). Our default setting is maildirs instead of mbox, so you should be safe.

• mbox: Message header reading was unnecessarily slow. Fetching a huge header could have resulted in Dovecot eating a lot of CPU. Also searching messages was much slower than necessary.
• mbox, dbox, cydir: Mail root directory was created with 0770 permissions, instead of 0700.
• maildir: Reading uidlist could have ended up in an infinite loop.
• IMAP IDLE: v1.2.7+ caused extra load by checking changes every 0.5 seconds after a change had occurred in mailbox

Several people have notified me of the problem they discovered when checking the version that is installed after they manually compiled MySQL from source after the binary install. The mysqld located in ‘/usr/local/mysql/bin‘ directory keeps reflecting the original installed version and not the latest source compiled version.

It took me a while to find out what was wrong here but I solved it. It is my mistake as I did not discover this earlier. The mysqld program when compiling from source is located in ‘/usr/local/mysql/libexec‘ and is properly referenced is you use the ‘mysqld_safe‘ program to start it up. The mysqld binary in ‘/usr/local/mysql/bin‘ is a left-over of the binary install procedure and is no longer used or referenced. This also means that my startup script was incorrect.

As a consequence I’ve changed the startup plist file. Please do the same by first changing the plist file and then do:

sudo launchctl unload /System/Library/LaunchDaemons/com.diymacserver.mysql.plist
sudo launchctl load /System/Library/LaunchDaemons/com.diymacserver.mysql.plist

Then the newer version should be running. You can check this by using the command:

mysqladmin version

Thanks to the vigilant users and my apologies to the others.

For everyone who has upgraded to a 5.1.x version. This is mostly a bug fix release and it is up to you if you want to upgrade. There are no apparent security issues solved in this release.

Check all the fixes and changes that are listed on the release notes to see what issues are resolved and if you are affected.

I’ve compiled this version and did some simple tests on my test servers and it worked without any problems.

Read the documentation on how to ugrade MySQL.

It’s been a while but the Postfix stable release 2.7.0 is available. For the past releases, the focus has moved towards improving the code and documentation, and updating the system for changing environments. You can read the release notes but the biggest changes are:

• Improved before-queue content filter performance. With
  “smtpd_proxy_options = speed_adjust”, the Postfix SMTP server
  receives the entire message before it connects to a before-queue
  content filter. Typically, this allows Postfix to handle the same
  mail load with fewer content filter processes.
• Improved address verification performance. The verify database
  is now persistent by default, and it is automatically cleaned
  periodically, Under overload conditions, the Postfix SMTP server
  no longer waits up to 6 seconds for an address probe to complete.
• Support for reputation management based on the local SMTP client
  IP address. This is typically implemented with “FILTER transportname:”
  actions in access maps or header/body checks, and mail delivery
  transports in master.cf with unique smtp_bind_address values.
• The postscreen daemon (a zombie-blocker in front of Postfix) is
  still too rough for a stable release, and will be made “mature”
  in the Postfix 2.8 development cycle (however you can use Postfix
  2.7 with the Postfix 2.8 postscreen and dnsblog executables and
  master.cf configuration; this code has already proven itself).

No functionality has been removed, but it is a good idea to review
the RELEASE_NOTES file for the usual minor incompatibilities or
limitations.

By the way you still need to edit the ‘src/util/sys_defs.h‘ file.

For instructions on how to upgrade Postfix please read Upgrading Postfix.

For everyone who has upgraded to a 5.1.x version. This is mostly a bug fix release and it is up to you if you want to upgrade. There are no apparent security issues solved in this release.

Check all the fixes and changes that are listed on the release notes to see what issues are resolved and if you are affected. Most of them are concerning replication.

I’ve compiled this version and did some simple tests on my test servers and it worked without any problems.

Read the documentation on how to ugrade MySQL.

Timo released another bugfix to Dovecot, some minor fixes are included. If you don’t have any problem you don’t need to upgrade if you don’t want to. Bugs fixed in this issue are:

• %variables now support %{host}, %{pid} and %{env:ENVIRONMENT_NAME} everywhere.
• LIST-STATUS capability is now advertised
• maildir: Fixed several assert-crashes.
• imap: LIST “” inbox shouldn’t crash when using namespace with “INBOX.” prefix.
• lazy_expunge now ignores non-private namespaces.

Sorry that I’m later than I’m supposed to be with this blogpost, but my new day job needs all the attention at the moment. The good news is there are not much problems when you update your Mac with the latest security update. Read more about it in Apple’s Knowledge base article.

On Leopard there is a small known issue with postfix. To correct it comment out or delete the following line from ‘/etc/postfix/main.cf‘:

inet_interfaces = localhost

Restart postfix (reloading config does not work) with:

sudo postfix stop
sudo postfix start

And all should be fine. If you find another issue please use the comments.

MySQL released new versions of the 5.0.x community version of their database server. There were no security issue releated to this release so if you are not affected I would not advise you to upgrade. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for this release here: Changes in MySQL 5.0.89

The PHP development team have released PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. The security enhancements and fixes in PHP 5.2.12 are:

• Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
• Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
• Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
• Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
• Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

For instructions on how to upgrade PHP please read: Upgrading PHP.