May 2011


Apache updated to 2.2.19

The Apache team have released a security update to the popular webserver. This version of Apache is principally a bug fix release, correcting regressions in the httpd 2.2.18 package; the use of that previous 2.2.18 package is discouraged due to these flaws:

  • SECURITY: CVE-2011-1928 (cve.mitre.org) A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. httpd workers enter a hung state (100% cpu utilization) after updating to APR 1.4.4. Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
    or prior with the ‘IgnoreClient’ option of the ‘IndexOptions’ directive will circumvent both issues.
  • httpd 2.2.18: The ap_unescape_url_keep2f() function signature was inadvertantly changed. This breaks binary compatibility of a number of third-party modules. This httpd-2.2.19 package restores the function signature provided by 2.2.17 and prior.

I would strongly advise you to upgrade your server accordingly and not to use the httpd 2.2.18 package. i’ve installed it on several machines without an error.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Apache updated to 2.2.18

The Apache team have released a security update to the popular webserver. This version of Apache is principally a bug fix release, and a security fix release of the APR 1.4.4 dependency; I would advise you to upgrade your server accordingly. I’ve tested and updated all my servers without any problem. Read all about the changes and bugs fixed in the 2.2.18 changelog.

  • SECURITY: CVE-2011-0419 (cve.mitre.org) apr_fnmatch flaw leads to mod_autoindex remote DoS. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a carefully crafted request may cause excessive CPU usage. Upgrading to APR 1.4.4, or setting the ‘IgnoreClient’ option of the ‘IndexOptions’ directive circumvents this risk.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Dovecot updated to 2.0.13

A new version of Dovecot has been released, as usual I’ve installed it on my test servers and production server without a problem. Check the improvements and decide if you want to upgrade as it are many small fixes, plus some more noticeable:

  • Added “doveadm index” command to add unindexed messages into index/cache. If full text search is enabled, it also adds unindexed messages to the fts database
  • added “doveadm director dump” command.
  • pop3: Added support for showing messages in “POP3 order”, which can be different from IMAP message order. This can be useful for migrations from other servers. Implemented it for Maildir as ‘O’ field in dovecot-uidlist.
  • doveconf: Fixed a wrong “subsection has ssl=yes” warning.
  • mdbox purge: Fixed wrong warning about corrupted extrefs.
  • sdbox: INBOX GUID changed when INBOX was autocreated, leading to trouble with dsync.
  • script-login binary wasn’t actually dropping privileges to the user/group/chroot specified by its service settings.
  • Fixed potential crashes and other problems when parsing header names that contained NUL characters.

MySQL released 5.1.57

For the people who haven’t upgraded to a 5.5.x release MySQL has released version 5.1.57, this is a bug fix release and it is up to you if you want to upgrade. Check all the fixes and changes that are listed on the release notes to see what issues are resolved and if you are affected. I’ve compiled it and did some tests on my servers and it worked without any problems.

Read the documentation on how to ugrade this version of MySQL.