September 2011


Apache updated to 2.2.21

The Apache team have released a security update to the popular webserver. This version of Apache is a security and bug fix release:

  • SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.
  • SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.

I would strongly advise you to upgrade your server accordingly as this will solve the problem of the apache killer security issue by which someone could take over your server.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Postfix updated to 2.8.5

Here is a new version of Postfix, just released and I’ve got it tested on Snow Leopard and Leopard on my test machines. It solves some small bugs for the Postfix Milter client that were already included with the Postfix 2.9 experimental release as listed below:

  • The Postfix Milter client logged a “milter miltername: malformed reply” error when a Milter sent an SMTP response without enhanced status code (i.e. “XXX Text” instead of “XXX X.X.X Text”).
  • The Postfix Milter client sent a random {client_connections} macro value when the remote SMTP client was not subject to any smtpd_client_* limit. As a workaround, it now sends a zero value instead.

Howto upgrade postfix.