It’s time again for a security update. It fills some new holes that could be exploited. I’ve installed it on my servers and didn’t run into any issues as expected because of the affected components don’t touch our programs. Read more about the update here. If you haven’t updated yet please do it now !

I’ve been looking at Lighttpd for some time now and finally found some time to get it setup and to document the process. I’m not going to replace Apache on my production systems just yet but I thought it would be nice to have a choice. You can find the Lighttpd install instructions here and I also added a page on how to compile PHP5 for Lighttpd as it needs to be compiled differently.

Virtual servers and a SSL/HTTPS setup are planned to follow soon…

If you would like other software included in the documentation project let me know, try to convince me to include it. Donations usually help

Thomas Bruederli has found the time to release an update on our favorite webmail client Roundcube. It’s still beta, version 0.1 and this is release candidate 1, but as some of you people know it is still pretty solid and very usable. I myself use it everyday when I’m not at home to read my mail! Read more about what has changed and how to download it in the announcement.

There is an update manual included in the download file so there is no need for me to explain, although I had some issues with the database update script and I went for re-initialization of the database. So dropping all tables and run the mysql5.initial.sql script.

If you are new to roundcube, here is my installation manual.

Yes it’s finally there, the version that includes shared libraries in the binary distribution package which would mean we never have to recompile MySQL ourselves. I’ve downloaded the package and installed it on my test server. The installation went without a problem as usual, but trying to compile PHP brought a new issue, some linking issue with zlib libraries.

/usr/bin/ld: warning multiple definitions of symbol _inflateInit_
/usr/local/mysql/lib/libmysqlclient.dylib(inflate.o) definition of _inflateInit_
/Developer/SDKs/MacOSX10.4u.sdk/usr/lib/gcc/i686-apple-darwin8/4.0.1/../../../libz.dylib(inflate.o) definition of _inflateInit_
etc...

I guess we still need to recompile. I hope it is not due to some left over trial I did earlier, could someone confirm my findings ?

Sorry for the late post but I wanted to check the software myself before announcing the updates and let you update your systems. Sam Varshavchik has been busy in April and created fixes and small updates for most of the Courier software stack. The ones that concern us are:

Courier-Auth was updated to 0.59.3

• Minor fixes in several man pages — workaround for some minor issues with Docbook XML stylesheets
• Added support for CRAM authentication in the vchkpw module
• Fix a memory leak when authpipe module is enabled, but the actual authpipe script/external prog is not installed
• Fix several other pedantic leaks flagged by a static code analysis tool, that occur only after courier-authlib already runs out of memory

Courier-IMAP was updated to 4.1.3

• Fix several pedantic memory leaks flagged by a static code analysis tool, that occur only after the server already runs out of memory
• Updated man pages to Docbook XML 4.4
• Fix parsing of raw 8bit headers

Courier Maildrop was updated to 2.0.4

• Updated manual pages to Docbook XML V4.4
• Include the make dat script (the man page is already here)

Updating should be easy, just follow the install instructions as usual.

There is a light at the end of the tunnel, after complaining and blogging about the issue for some time it looks like it is going to be solved in the next release of MySQL. I received some updates on the bug report via email and it is released in version 5.0.40 Enterprise version, see the release notes. Now we only need to wait for the Community release….

The PHP development team released an update to the core PHP system. It’s a major stability and security enhancement to the 5.2.1 release. Everybody is strongly encouraged to upgrade to this release as soon as possible. Release notes can be found here and the changelog here.

Quoted from the announcement:

Security Enhancements and Fixes in PHP 5.2.2:

• Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
• Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
• Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser)
• Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser)
• Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
• Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser).
• Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser)
• Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
• Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser)
• Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev)
• Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser)
• Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
• Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia)
• Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky)
• Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)

I still have the same issue on the PPC platform as with 5.2.1 which I’m still working on to solve. But it takes some time before I can move everything from my production server to a temporary one.