This is a Security Update which solves the problem with the malicious PDF’s that plagued the iPhone/iPad as well. Besides solving this issue there are some minor fixes. There are no changes to any of our software (yes even postfix is unaffected!) so you can run this without any problem. Read more about it in Apple’s Knowledge base article. All my test and production server are now safe and still working perfectly.

I’ve updated all my machines that run Snow Leopard with the update and I haven’t noticed any strange behavior or errors.

If you want to read more on what is affected in the updates I would suggest reading the Apple support site for the (security) update.

There are some reports on changes in the firewall which might affect the workings of your server if you are using the default firewall configuration. I use noobproof to configure my firewalls. It has a better level of control.

Update: the postfix binary is replaced and you need to run a “sudo make install” from the last version you used. This is a reminder on why you keep the compiled stuff lying around on the server and not clean it up after installation.

Sorry that I’m later than I’m supposed to be with this blogpost, but my new day job needs all the attention at the moment. The good news is there are not much problems when you update your Mac with the latest security update. Read more about it in Apple’s Knowledge base article.

On Leopard there is a small known issue with postfix. To correct it comment out or delete the following line from ‘/etc/postfix/main.cf‘:

inet_interfaces = localhost

Restart postfix (reloading config does not work) with:

sudo postfix stop
sudo postfix start

And all should be fine. If you find another issue please use the comments.

A new version of Dovecot has been released a few days ago but I’ve only been able to test it in the last few days. Sorry, my day job is getting a bit hecktic at the moment and is eating in my personal time.

There is mention of moving o a 2.0 version in a few weeks. I hope to have that ready and tested as soon as possible.

Here is a list of the changes:

• Upgraded to Unicode 5.2.0
• Added authtest utility for doing passdb and userdb lookups.
• login: ssl_security string now also shows the used compression.
• quota: Don’t crash with non-Maildir++ quota backend.
• imap proxy: Fixed crashing with some specific password characters.
• dovecot –exec-mail was broken.
• Avoid assert-crashing when two processes try to create index at the same time.

Update: There is a small issue when compiling this version on Leopard. It’s has to do with the fact that Leopard is using an older version (0.7.8) of OpenSSL than Snow Leopard (using 0.9.8).

The error will show itself during the make fase of the build. You would see errors like:

Undefined symbols:
“_SSL_get_current_compression”, referenced from:
_ssl_proxy_get_security_string in liblogin-common.a(ssl-proxy-openssl.o)
“_SSL_COMP_get_name”, referenced from:
_ssl_proxy_get_security_string in liblogin-common.a(ssl-proxy-openssl.o)
ld: symbol(s) not found

You can solve it by downloading and applying this fix, execute the following commands from the 1.2.6 source directory:

curl "http://hg.dovecot.org/dovecot-1.2/raw-file/4add5c3f13ea/configure.in" \
-o ./configure.in
 
curl "http://hg.dovecot.org/dovecot-1.2/raw-file/4add5c3f13ea/src/login-common/ssl-proxy-openssl.c" \
-o ./src/login-common/ssl-proxy-openssl.c

Then run the normal ./configure and make statements from the regular install instructions.

For everyone who has not updated to a 5.1.x version. This is a bug fix release and it is up to you if you want to upgrade. If you don’t have any current issues you don’t need to upgrade.

Check all the fixes that are listed on the release notes to see what issues are resolved and if you are affected.

I’ve compiled this version and did some simple tests on Leopard and Tiger and both can be compiled and installed using the instructions in the documentation set without problems.

Read the documentation on how to ugrade MySQL.

For everyone who has upgraded to a 5.1.x version. This is again a bug fix release like 5.1.39 and it is up to you if you want to upgrade. There are no apparent security issues solved in this release. This is a very quick release after 5.1.38.

Check all the fixes and changes that are listed on the release notes to see what issues are resolved and if you are affected. Most of them are concerning replication.

I’ve compiled this version and did some simple tests on my test servers and it worked without any problems.

Read the documentation on how to ugrade MySQL.

For the people still running the Courier setup. Yes I know I still need to publish the migration scenario. The IMAP server got a small update. It is not a security fix so if you haven’t run into any problems you can skip this one.

Issues solved in this release are:

• outbox.c (imapd_sendmsg): Renamed sendmsg() to avoid library name clash.
• courier.sysvinit.in: Fix typo in init file.
• tls: change the default OpenSSL configuration to disable anonymous
  authentication ciphers.
• DROP options for couriertcpd, set in the esmtpd configuration file: drop connections from blacklisted IP addresses, rather than accepting connections and rejecting all mail from them.

PHP have released an update to the 5.2.x version. Many people still have problems with the backwards compatibility of 5.3 and are still using 5.2.10. In this release which is a security bug-fix and if you are running 5.2.10 I would urge you to upgrade.

Security Enhancements and Fixes in PHP 5.2.11:

• Fixed certificate validation inside php_openssl_apply_verification_policy.
• Fixed sanity check for the color index in imagecolortransparent().
• Added missing sanity checks around exif processing.
• Fixed bug #44683 (popen crashes when an invalid mode is passed).

Key enhancements in PHP 5.2.11 include:

• Fixed regression in cURL extension that prevented flush of data to output defined as a file handle.
• A number of fixes for the FILTER_VALIDATE_EMAIL validation rule
• Fixed bug #49361 (wordwrap() wraps incorrectly on end of line boundaries).
• Fixed bug #48696 (ldap_read() segfaults with invalid parameters)
• Fixed bug #48645 (mb_convert_encoding() doesn’t understand hexadecimal html-entities).
• Fixed bug #48619 (imap_search ALL segfaults).
• Fixed bug #48400 (imap crashes when closing stream opened with OP_PROTOTYPE flag).
• Fixed bug #47351 (Memory leak in DateTime).
• Over 60 bug fixes.

For instructions on how to upgrade PHP please read: Upgrading PHP.

A new verison of Dovecot has been released a few days ago but I’ve only been able to test it today, sorry busy week.

The bugfixes include:

• Authentication: DIGEST-MD5 and RPA mechanisms no longer require user’s login realm to be listed in auth_realms. It only made configuration more difficult without really providing extra security.
• zlib plugin: Don’t allow clients to save compressed data directly. This prevents users from exploiting (most of the) potential security holes in zlib/bzlib.
• Added pop3_save_uidl setting.
• dict quota: When updating quota and user isn’t already in dict, recalculate and save the quota.
• file_set_size() was broken with OSes that didn’t support posix_fallocate() (almost everyone except Linux), causing all kinds of index file errors.
• v1.2.4 index file handling could have caused an assert-crash
• IMAP: Fixes to QRESYNC extension.
• virtual plugin: Crashfix
• deliver: Don’t send rejects to any messages that have Auto-Submitted
  header. This avoids emails loops.
• Maildir: Performance fixes, especially with maildir_very_dirty_syncs.
• Maildir++ quota: Limits weren’t read early enough from maildirsize file (when quota limits not enforced by Dovecot)
• Message decoding fixes (mainly for IMAP SEARCH, Sieve).

I’ve updated my test server with Mac OSX 10.6.1 The update went without any problem and my setup was not affected in a negative way. It took me some time to check everything.

If you want to read more on what is affected in the updates I would suggest reading the Apple support site for the 10.6.1 update.

In case of doubt, please make a full bootable disk image backup with Carbon Copy Cloner before you start. There are some people having reported problems with previous update so better be safe then sorry!