• SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations.
• SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.
• SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations.
• SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the ‘%{cookiename}C’ log format string is in use and a client sends a nameless, valueless cookie, causing
  a denial of service. The issue existed since version 2.2.17.
• SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly.
• SECURITY: CVE-2012-0053 (cve.mitre.org) Fixed an issue in error responses that could expose “httpOnly” cookies when no custom ErrorDocument is specified for status code 400.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

• SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.
• SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.

I would strongly advise you to upgrade your server accordingly as this will solve the problem of the apache killer security issue by which someone could take over your server.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

Next step was getting XCode on the machine for which I had to use the “App Store” but luckily XCode is again free! Everything installed I was ready to go. One of the things I noticed is that I can install everything in 64 bits without needing to explicitly specifying it which we had to do on Snow Leopard. Also note that there is no more 32 bits on Lion! This is why it won’t run on some of the older Intel Macs.

So if you’ve already upgraded your Mac to Lion or just have bought a new one and need to install MAMP, that part is no finished. Next step is me taking the time to upgrade my desktop and then attack the mail-server documentation.

http://diymacserver.com/lion/

Update: Just got this in my RSS reader, VMWare 3.1.3 does not support Lion as a guest. The current Beta does so I guess you have to wait till 3.1.4 or join the beta program!

Also found that PostgresSQL 9.0.4 is installed with OS X Lion! There is documentation in /Library/Webserver/Documents and the psql command is available. Let’s see what we can find out more…

Found this in the official Apple documentation What is new in Mac OS X 10.7

Beginning in Mac OS X v10.7, Mac OS X Server ships with PostgreSQL instead of MySQL as its database server. If you are using other software that requires MySQL, you must install it yourself.

• SECURITY: CVE-2011-1928 (cve.mitre.org) A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. httpd workers enter a hung state (100% cpu utilization) after updating to APR 1.4.4. Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
  or prior with the ‘IgnoreClient’ option of the ‘IndexOptions’ directive will circumvent both issues.
• httpd 2.2.18: The ap_unescape_url_keep2f() function signature was inadvertantly changed. This breaks binary compatibility of a number of third-party modules. This httpd-2.2.19 package restores the function signature provided by 2.2.17 and prior.

I would strongly advise you to upgrade your server accordingly and not to use the httpd 2.2.18 package. i’ve installed it on several machines without an error.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

• SECURITY: CVE-2011-0419 (cve.mitre.org) apr_fnmatch flaw leads to mod_autoindex remote DoS. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a carefully crafted request may cause excessive CPU usage. Upgrading to APR 1.4.4, or setting the ‘IgnoreClient’ option of the ‘IndexOptions’ directive circumvents this risk.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

• SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line().
• SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

For Apache I did a recompile and install because the config was completely lost (and I had no backup!) and this was the quickest way for me. The normal 64 bit Leopard instructions did the job for now, will look later at possible enhancements.

MySQL I could just startup with the System Preferences MySQL panel. Will do a recompile later today and will update this post with the findings. This as MySQL is updated to 5.1.38

PHP gave the most issues, but a comment from Nico helped out. This problem is valid for 5.2.9 and 5.3.0 but it should be solved in 5.3.1 as the bug was listed as solved in 5.3.1.dev

To solve the problem, follow the normal instructions on this site but after the configure statement you need to edit the Makefile which is created by ./configure

You need to add ‘-lresolv‘ at the end of the line which starts with ‘EXTRA_LIBS‘ like:

EXTRA_LIBS = -lmysqlclient -lssl -lcrypto -lz -lssl -lcrypto -lm -lxml2 -lz -licucore -lm -lxml2 -lz -licucore -lm -lmysqlclient -lz -lm -lmysqlclient -lz -lm -lxml2 -lz -licucore -lm -lxml2 -lz -licucore -lm -lxml2 -lz -licucore -lm -lxml2 -lz -licucore -lm -lresolv

As noted earlier, I will keep updating this blogpost till most issues are resolved or properly documented elsewhere on the site.

Update 1: MySQL compiled without a problem using the 64 bits Leopard instructions.

Update 2: Finished some of the PHP documentation on Snow Leopard:

• Compiling PHP in 64 bits mode on Snow Leopard
• Adding the GD module to PHP on Snow Leopard
• Adding the mcrypt module to PHP on Snow Leopard

Update 3: Added Apache install instructions:

• Compiling Apache in 64 bits mode on Snow Leopard

Update 4: Made a new page with all related Snow Leopard instructions. MAMP stack documented, mailserver will follow!

Last update: Mailserver instructions.

But as I also use my MBP as the 64 bit test server. I was very dissapointed to find out that a lot was gone aftet the upgrade. All launchdaemon plist files where gone so nothing was started. Postfix binary had been replaced (was to be expected). All the configuration for Apache was gone, Postfix config replaced (but old ones renamed). Still assessing most of the damage at the moment.

But first success was that the Apache installation for Leopard also works for Snow Leopard. Don’t forget to install the XCode package from the Snow Leopard install DVD.

By the way I had to buy a copy today (which was hard because it was sold out at many places) because the family pack was not yet available.

I will post of my findings tomorrow.

Update: If you follow me on Twitter I will give you earlier smaller notifications on my discoveries! Twitter.com/diymacserver

But I’m wrong, as my basic goal was to provide you with a complete mailserver solution, I have to acknowledge that the most polular pages are on installing Apache, PHP and third MySQL. The popularity of the mailserver instructions comes way lower then these three subjects.

So therefore I’ve updated all the 64 bit instructions with how to compile on a 64 bit PowerPC platform. You have to forgive me for not being able to test this (no G5 at my place!) I’m using the input of someone else who told me this. It was a very simple change as you only need to change the ‘x86_64‘ bit into ‘ppc64‘ and that’s it.

If someone else could verify that this works it would be grand!