It’s not been that long ago but Sam Varshavchik has done it again and updated Courier IMAP. Some of the fixes include:

• Added support for GnuTLS as an alternative to OpenSSL.
• Fix certain courier-authlib misconfigurations from being reported as false clock skew errors.
• Remove the \Draft flag from messages that are automatically moved to Trash after expunge, to have clients treat them as ordinary messages, if pulled from Trash.

I’ve downloaded, compiled and tested it and found no issues on my test server.

Somehow the PHP.net guys forget they have an announcement mailinglist to tell everyone a new version is released. I had a kind and very thoughtfull reminder in my mail from a happy DIYMacServer user telling me that a new version has been released.

So gentleman, start your download program and warm up your compiler. The PHP installation documentation has been updated and also has a Leopard configuration for all you early adopters.

The new release boasts the following fixes:

• Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
• Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
• Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
• Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
• Fixed “mail.force_extra_parameters” php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
• Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
• Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).

and the following enhancements:

• Upgraded PCRE to version 7.3
• Updated timezone database to version 2007.9
• Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable.
• Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc() functions
• Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll())
• Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax)
• Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23)
• Over 60 bug fixes.

Alright, this time on time and not weeks behind the official release like the last update of Postfix. Wietse released a minor bug-fix which solves some problems in the SMTP client. The bug-fixes include:

• A remote SMTP client TLS certificate with an unparsable canonical
  name triggered a panic error in the Postfix SMTP server (attempt
  to allocate zero-length memory) while sending a request to an
  SMTPD policy server.
• On backup MX servers where the queue file system is mounted with
  “atime” (file read/execute access time) updates disabled, the
  flush daemon would trigger mail delivery attempts once every 1000
  seconds, thus rendering the maximal_backoff_time setting useless
  for backup MX service.

This update has been tested on my test server and my production server is using this latest release as well for a few hours now without a problem.

By the way as a sidenote, I’ve ordered my Leopard box in the online Apple store. I need to prepare my test server for the upgrade!

Roundcube got another new release candidate. This updated version has a lot of improvements and fixed bugs. HTML message composition is also included but by disabled by default because it’s still experimental.

I wonder how long it will be before we see a proper regular release. For more than a year it has been nothing but beta and RC’s. The product is stable enough to be used in a production environment and has enough features to be able to use it daily. I wonder what is keeping it from releasing it properly.

To update roundcube, if you’ve used the DIYMacServer provided installation instructions, and if you are upgrading from RC1 are:

Extract the RC2 archive into '/Library/WebServer/Documents'. Create new copies of the configuration files and edit them to reflect the same settings as in the RC1 installation. T

Remove the original ’roundcubemail’ symbolic link and create a new one:

sudo ln -s /Library/WebServer/Documents/roundcubemail-0.1-RC2 /Library/WebServer/Documents/roundcubemail

Nothing more to do ! If you have an older version it’s necessary to recreate the database because it has changed. Just do a ‘drop databasename’ and run the sql scripts as explained in the installation documentation.

Allright, the update for Courier-Auth that solves the bug found when using with Mac OSX is released. There where some other issues that were fixed in the IMAP server and some other small bugs in other parts of the courier software stack that we don’t use in our setup. The bug fixes that concern us are:

• courier-authlib: portability fix for the check of the highest available file descriptor, this is the one we reported on earlier
• imap: Fix crash during ‘make check’ on some platforms
• imap: Avoid a double-fclose in a marginal error condition

I’ve tested these new releases (0.60.2 for Courier-Auth and 4.2.1 for Courier-IMAP) and they work, don’t forget to do a:
sudo chmod o+x /usr/local/var/spool/authdaemon
after you’ve done a ‘make install’ on the courier-auth daemon.

Sam released a new batch of updates on most of the Courier packages, here is the list with the important changes:

Courier-authlib 0.60.0:

• Fix some compiler errors in authvchpw
• userdb: allow underscores in login names
• courierlogger: use OPEN_MAX or sysconf(_SC_OPEN_MAX) to pick the highest available file descriptor for the lock file
• License update to GPL3

Courier-imap 4.2.0

• COPYING updated to GPL 3
• Updated man pages to Docbook XML 4.4
• IMAP performance improvements
• Ignore SIGPIPE errors in couriertcpd, preventing couriertcpd from being terminated if the stderr logger crashes.
• Logging changes - include remote port number in IMAP and POP3 logs
• If using courier-analog, must upgrade to version 0.15
• Try to autodetect clock skew

Note: Please don’t update if you are not sure. There have been issues reported and I haven’t tested it myself. I will test it asap…

Note 2: I’ve checked it myself and there is a problem with version 0.60 and 0.60.1 of courier-auth. Currently working with the developers to get it worked out.

Well, here as well we missed an update, sorry about this I hope to keep you more up to date to stuff like this the coming period. The bug is still there so you still need to recompile !

This release includes a number of security-relevant fixes:

• CREATE TABLE LIKE did not require any privileges on the source table and was not isolated from alteration by other connections. (Bugs #25578 and #23667)
• It is no longer possible to use a view to gain update privileges for tables in other databases. (Bug#27878)
• It is no longer possible for a user to gain privileges by calling a stored routine that was declared using SQL SECURITY INVOKER. (Bug#27337)
• The DROP privilege requirement for RENAME TABLE is now correctly enforced. (Bug#27515)
• Malformed password packets in the connection protocol can no longer cause the server to crash. (Bug#28984)

One bug fix resulted in an incompatible change:

• The use of an ORDER BY or DISTINCT clause with a query containing a call to the GROUP_CONCAT() function caused results from previous queries to be redisplayed in the current result. The fix for this includes replacing a BLOB value used internally for sorting with a VARCHAR; this may lead to truncation when the result of a query that uses GROUP_CONCAT() is longer than the limit for VARCHAR, which is a new restriction in MySQL 5.0.45. (Bugs #23856, #28273)

Read about all the changes here.

Alright, Wietse has been busier than me and because of that I missed an update. So the current source version that is available is 2.4.5 which should run fine on your current machine without a problem. Here is a summary of changes; for details please see HISTORY or RELEASE_NOTES in the source archive:

• MILTER bugfix: When a milter replied with ACCEPT at or before the first RCPT command, the cleanup server would apply the non_smtpd_milters setting as if the message was a local submission. Problem reported by Jukka Salmi.
• MILTER bugfix: Problem with header updates after body updates. Reported by Jose-Marcio Martins da Cruz.
• MILTER robustness: Assorted cleanups to harden error handling in the Postfix Milter client.
• SASL workaround for Postfix SMTP client: Some non-Cyrus SASL SMTP servers require SASL login without authzid (authoriZation ID), i.e. the client must send only the authcid (authentiCation ID) + the authcid’s password. This is now the default Postfix SMTP client behavior.
• Loopback TCP performance workaround: Some systems exhibited poor SMTP and Milter performance with loopback (127.0.0.1) connections. Problem reported by Mark Martinec.

Alright, I’m working on all the items on my todo list which has been growing quite heavily. The new job is so much fun that I forgot to spend time on al my other fun projects… Expect qite some posts in the next few days…

But first to the business at hand, I’ve updated the server with the Security Update 2007-7 and didn’t run into any problem with all the changes we made… Read more about the update at the apple support site. But I guess most of you already have got the update running…

Well, that was not expected, another update before we hit Leopard. It was followed by a security update a day later as well. You can install them without any issues related to our server software. There is however a problem reported with popping noises coming from the speakers on Intel Mac’s after installing this update. I haven’t noticed it myself but be warned.

More about the software update or the security update