For everyone who has upgraded to a 5.1.x version. This is mostly a bug fix release and it is up to you if you want to upgrade. There are no apparent security issues solved in this release.

Check all the fixes and changes that are listed on the release notes to see what issues are resolved and if you are affected. Most of them are concerning replication.

I’ve compiled this version and did some simple tests on my test servers and it worked without any problems.

Read the documentation on how to ugrade MySQL.

Timo released another bugfix to Dovecot, some minor fixes are included. If you don’t have any problem you don’t need to upgrade if you don’t want to. Bugs fixed in this issue are:

• %variables now support %{host}, %{pid} and %{env:ENVIRONMENT_NAME} everywhere.
• LIST-STATUS capability is now advertised
• maildir: Fixed several assert-crashes.
• imap: LIST “” inbox shouldn’t crash when using namespace with “INBOX.” prefix.
• lazy_expunge now ignores non-private namespaces.

Sorry that I’m later than I’m supposed to be with this blogpost, but my new day job needs all the attention at the moment. The good news is there are not much problems when you update your Mac with the latest security update. Read more about it in Apple’s Knowledge base article.

On Leopard there is a small known issue with postfix. To correct it comment out or delete the following line from ‘/etc/postfix/main.cf‘:

inet_interfaces = localhost

Restart postfix (reloading config does not work) with:

sudo postfix stop
sudo postfix start

And all should be fine. If you find another issue please use the comments.

MySQL released new versions of the 5.0.x community version of their database server. There were no security issue releated to this release so if you are not affected I would not advise you to upgrade. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for this release here: Changes in MySQL 5.0.89

The PHP development team have released PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. The security enhancements and fixes in PHP 5.2.12 are:

• Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
• Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
• Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
• Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
• Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

For instructions on how to upgrade PHP please read: Upgrading PHP.

Timo released another bugfix to Dovecot, he hopes it will last for the next few months. I guess he needs more time for the 2.x release which is coming along nicely. Bugs fixed in this issue are:

• maildir: When saving, filenames now always contain ,S=. Previously this was done only when quota plugin was loaded. It’s required for zlib plugin and may be useful for other things too.
• lazy-expunge: Support a single-namespace configuration. If a mailbox is deleted, its messages are merged with its old expunged messages (if there were any).
• expire: Settings now support spaces in mailbox names by using quoted strings.
• maildir: v1.2.7 and v1.2.8 caused assert-crashes in maildir_uidlist_records_drop_expunges()
• maildir_copy_preserve_filename=yes could have caused crashes.
• Maildir++ quota: % limits weren’t updated when limits were read from maildirsize.
• virtual: v1.2.8 didn’t fully fix the “lots of mailboxes” bug
• virtual: Fixed updating virtual mailbox based on flag changes.
• fts-squat: Fixed searching multi-byte characters.

This is a small write-up of the installation I was asked to do for a client on his mini with OS X Server (Leopard). It took me a while to get this working because of the various issiues that I encountered and while googling for a sollution found that there are many people looking for an answer, hence the write-up. Please note that these instructions are not part of the normal documentation set, these instructions only work on OS X Server Leopard and not on the regular OS X Workstation.

First make a copy of the original php module for safekeeping:

sudo cp /usr/libexec/apache2/libphp5.so /usr/libexec/apache2/libphp5.so.apple

Then we need to make some preparations. First of them is get the MySQL include source files and the client libraries as documented in this knowledge base article. Remeber this is only tested on 10.5.x of OS X Server.

Please download http://www.opensource.apple.com/darwinsource/other/MySQL-49.binaries.tar.gz

Unpack and copy the following directories using the following commands:

tar -zxvf MySQL-49.binaries.tar.gz
cd usr/include/
sudo cp -R usr/include/mysql /usr/include/
sudo cp -R usr/lib/mysql /usr/lib/

Next we need to get the iconv library and compile it to get it properly working with PHP. The default iconv library on OS X gives linking errors. You can download it from: http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz and unpack it.

Use the following commands to compile and install it:

export MACOSX_DEPLOYMENT_TARGET=10.6 \
CFLAGS=”-arch x86_64″ \
CXXFLAGS=”-arch x86_64″
./configure –prefix=/usr/local
 
make
 
sudo make install

Next download the source code for the JPEG library from the Freshmeat libjpeg project. I’ve used the source file jpegsrc.v7.tar.gz.

First unpack the source code and then go into the folder “jpeg-7″ for the source and execute the following commands:

cp /usr/share/libtool/config.sub .
cp /usr/share/libtool/config.guess .

Which will copy these files to the current directory. They are required for the configuration fase of this installation.

export MACOSX_DEPLOYMENT_TARGET=10.6
CFLAGS="-arch x86_64" \
CXXFLAGS="-arch x86_64" \
LDFLAGS="-arch x86_64" \
./configure --enable-shared
 
make
 
sudo make install

Next download PHP version 5.2.11 (this is the version installed on OS X Server 10.5.x) unpack it and use the following commands to configure, compile and install it:

export MACOSX_DEPLOYMENT_TARGET=10.6 \
CFLAGS=”-arch x86_64″ \
CXXFLAGS=”-arch x86_64″
./configure –prefix=/usr \
  --mandir=/usr/share/man \
  --infodir=/usr/share/info \
  --disable-dependency-tracking \
  --with-apxs2=/usr/sbin/apxs \
  --with-ldap=/usr \
  --with-kerberos=/usr \
  --enable-cli \
  --with-zlib-dir=/usr \
  --enable-trans-sid \
  --with-xml \
  --enable-exif \
  --enable-ftp \
  --enable-mbstring \
  --enable-mbregex \
  --enable-dbx \
  --enable-sockets \
  --with-iodbc=/usr \
  --with-curl=/usr \
  --with-config-file-path=/etc \
  --sysconfdir=/private/etc \
  --with-openssl \
  --with-xmlrpc \
  --with-xsl=/usr \
  --with-mysql-sock=/var/mysql \
  --with-mysqli=/usr/bin/mysql_config \
  --with-mysql=/usr \
  --with-gd \
  --with-jpeg-dir=/usr/local/lib \
  --with-png-dir=/usr/X11R6 \
  --with-freetype-dir=/usr/X11R6 \
  --with-xpm-dir=/usr/X11R6 \
  --with-iconv=/usr/local \
  --without-pear

Next do not start compiling but we need to edit the Makefile.

Find the line that starts with:

GDLIB_CFLAGS =

and add at the end of the line:

-arch x86_64

The nfind the line that starts with:

EXTRA_LIBS =

and add at the end of this multiline:

-lresolv

Next replace the line:

$(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

with:

$(CC) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(MH_BUNDLE_FLAGS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

Save the file and when your done you can start compiling and installing with:

make
 
sudo make install

This means it’s ready.

Now restart apache and check your site. Now you have a new PHP version with GD on your server.

A new version of Dovecot has been released. It’s just a minor bug fix and not a real security fix. I think that if you are not affected (like running on a server with no other local users) then you are not required to upgrade and can skip this one.

This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot’s auth socket and log in as other users. Gaining root privileges isn’t possible though.

This affects only v1.2 users, v1.1 and older versions were creating the directory with 0755 permission.

If your Dovecot’s base_dir isn’t in /var/run/dovecot/, you should also make sure that the $prefix/var/ and $prefix/var/run/ (i.e. /usr/local/var/, /usr/local/var/run/ by default) aren’t 0777.

The fixes include:

• Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir’s permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
• acl: If user has rights from more than one group, merge them instead of choosing one group’s rights and ignoring others.
• virtual: When using a lot of mailboxes, the virtual mailbox’s header could have grown over 32 kB and caused “out of memory” crashes. Also over 64 kB headers couldn’t even be updated with existing transaction log records. Added a new record type that gets used with >=64 kB headers. Older Dovecot versions don’t understand this header and will log errors if they see it.
• FETCH BODYSTRUCTURE didn’t return RFC 2231 “key*” fields correctly

The PHP development team released a new version of the 5.3.x release. Before you upgrade to a 5.3.x release on a production machine, please check if all PHP based apps are supporting 5.3.x as there are some compatibility problems and you might get some strange results. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. I’ve tested it on a test server with Snow Leopard without any problems.

Security Enhancements and Fixes in PHP 5.3.1:

• Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
• Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
• Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
• Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
• Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559, Johannes, christian at elmerot dot se)
• Fixed bug #44683 (popen crashes when an invalid mode is passed). (CVE-2009-3294, Pierre)

Key Enhancements in PHP 5.3.1 include:

• Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
• Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
• Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
• Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
• Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
• Around 100 other bug fixes

For instructions on how to upgrade PHP please read: Upgrading PHP.

MySQL released new versions of the 5.1.x and 5.0.x community versions of their database server. There is a security issue releated to them so if you are affected I would advise you to upgrade. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for each release here:

• Changes in MySQL 5.1.41
• Changes in MySQL 5.0.88