Wietse just released a quick update on the just released 2.4.2, it looks like the 2.4.2 release introduced a compiler bug on some platforms which was easily fixed. The bugs solved in this last release where:

• 20070425
  Bugfix: don’t falsely report “lost connection from localhost[127.0.0.1]” when Postfix is being portscanned. Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
• 20070430
  Robustness: recommend a “0″ process limit for policy servers to avoid “connection refused” problems when the smtpd process limit exceeds the default process limit. File: proto/SMTPD_POLICY_README.html.
• 20070501
  Safety: when IPv6 (or IPv4) is turned off, don’t treat an IPv6 (or IPv4) connection from e.g. inetd as if it comes from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
• 20070508
  Bugfix: Content-Transfer-Encoding: attribute values are case insensitive. File: src/cleanup/cleanup_message.c.
• 20070514
  Bugfix: mailbox_transport(_maps) and fallback_transport(_maps) were broken when used with the error(8) or discard(8) transports. Cause: insufficient documentation. Files: error/error.c, discard/discard.c.
• 20070520
  Bugfix (problem introduced Postfix 2.3): when DSN support was introduced it broke “agressive” recipient duplicate elimination with “enable_original_recipient = no”. File: cleanup/cleanup_out_recipient.c.
• 20070529
  Bugfix (introduced Postfix 2.3): the sendmail/postdrop commands would hang when trying to submit a message larger than the per-message size limit. File: postdrop/postdrop.c.
• 20070530
  Sabotage the saboteur who insists on breaking Postfix by adding gethostbyname() calls that cause maildir delivery to fail when the machine name is not found in /etc/hosts, or that cause Postfix processes to hang when the network is down.
• 20070531
  Portability: Victor helpfully pointed out that change 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

If you have no issues currently and all is working fine, there is no real need to upgrade. If it ain’t broke, don’t fix it.

It’s time again for a security update. It fills some new holes that could be exploited. I’ve installed it on my servers and didn’t run into any issues as expected because of the affected components don’t touch our programs. Read more about the update here. If you haven’t updated yet please do it now !

Thomas Bruederli has found the time to release an update on our favorite webmail client Roundcube. It’s still beta, version 0.1 and this is release candidate 1, but as some of you people know it is still pretty solid and very usable. I myself use it everyday when I’m not at home to read my mail! Read more about what has changed and how to download it in the announcement.

There is an update manual included in the download file so there is no need for me to explain, although I had some issues with the database update script and I went for re-initialization of the database. So dropping all tables and run the mysql5.initial.sql script.

If you are new to roundcube, here is my installation manual.

Sorry for the late post but I wanted to check the software myself before announcing the updates and let you update your systems. Sam Varshavchik has been busy in April and created fixes and small updates for most of the Courier software stack. The ones that concern us are:

Courier-Auth was updated to 0.59.3

• Minor fixes in several man pages — workaround for some minor issues with Docbook XML stylesheets
• Added support for CRAM authentication in the vchkpw module
• Fix a memory leak when authpipe module is enabled, but the actual authpipe script/external prog is not installed
• Fix several other pedantic leaks flagged by a static code analysis tool, that occur only after courier-authlib already runs out of memory

Courier-IMAP was updated to 4.1.3

• Fix several pedantic memory leaks flagged by a static code analysis tool, that occur only after the server already runs out of memory
• Updated man pages to Docbook XML 4.4
• Fix parsing of raw 8bit headers

Courier Maildrop was updated to 2.0.4

• Updated manual pages to Docbook XML V4.4
• Include the make dat script (the man page is already here)

Updating should be easy, just follow the install instructions as usual.

The PHP development team released an update to the core PHP system. It’s a major stability and security enhancement to the 5.2.1 release. Everybody is strongly encouraged to upgrade to this release as soon as possible. Release notes can be found here and the changelog here.

Quoted from the announcement:

Security Enhancements and Fixes in PHP 5.2.2:

• Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
• Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
• Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser)
• Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser)
• Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
• Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser).
• Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser)
• Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
• Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser)
• Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev)
• Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser)
• Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
• Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia)
• Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky)
• Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)

I still have the same issue on the PPC platform as with 5.2.1 which I’m still working on to solve. But it takes some time before I can move everything from my production server to a temporary one.

It’s time for a well needed security update. It fills some needed holes that could be exploited. I’ve installed it on my servers and didn’t run into any issues as expected because of the affected components don’t touch our programs. Read more about the update here. If you haven’t updated yet please do it now !

As promised, sooner than I expected myself, here is some more information on the update of Courier Auth to version 0.59.2. It wasa minor upgrade where the following items where fixed:

• Fix pedantic compilation warnings
• Implement SSL-encrypted MySQL connections
• Update documentation to Docbook XML V4.4

Installing or upgrading is done by just following the install instructions and restarting the Auth daemon. Please don’t forget to do:

chmod o+x /usr/local/var/spool/authdaemon

It’s time again for a security update. This time it’s a pure security patch and not really DIYMacServer related. It fixes a security hole in iChat, Java and Finder. I’ve installed it on my servers and didn’t run into any issues as expected because of the affected components. Read more about the update here.

The PHP development team just released an update to the core PHP system. It’s a major stability and security enhancement to the 5.2.0 release. Everybody is strongly encouraged to upgrade to this release as soon as possible.

Quoted from the announcement:

Security Enhancements and Fixes in PHP 5.2.1:

• Fixed possible safe_mode & open_basedir bypasses inside the session extension.
• Prevent searchs engine from indexing the phpinfo() page.
• Fixed a number of input processing bugs inside the filter extension.
• Fixed unserialize() abuse on 64 bit systems with certain input strings.
• Fixed possible overflows and stack corruptions in the session extension.
• Fixed an underflow inside the internal sapi_header_op() function.
• Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
• Fixed possible stack overflows inside zip, imap & sqlite extensions.
• Fixed several possible buffer overflows inside the stream filters.
• Fixed non-validated resource destruction inside the shmop extension.
• Fixed a possible overflow in the str_replace() function.
• Fixed possible clobbering of super-globals in several code paths.
• Fixed a possible information disclosure inside the wddx extension.
• Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
• Fixed a possible buffer overflow inside mail() and ibase_{delete,add,modify}_user() functions.
• Fixed a string format vulnerability inside the odbc_result_all() function.
• Memory limit is now enabled by default.
• Added internal heap protection.
• Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.

The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly.

The key improvements of PHP 5.2.1 include:

• Several performance improvements in the engine, streams API and some Windows specific optimizations.
• PDO_MySQL now uses buffered queries by default and emulates prepared statements to bypass limitations of MySQL’s prepared statement API.
• Many improvements and enhancements to the filter and zip extensions.
• Memory limit is now always enabled, this includes Windows builds, with a default limit of 128 megabytes.
• Added several performance optimizations using faster Win32 APIs (this change means that PHP no longer supports Windows 98).
• FastCGI speed optimized build of PHP for Windows made available for downloading.
• Over 180 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available at http://www.php.net/UPDATE_5_2.txt, detailing the changes between those releases and PHP 5.2.1.

For a full list of changes in PHP 5.2.1, see the ChangeLog (http://www.php.net/ChangeLog-5.php).

The new version compiled without any issue on my Intel Mac and worked like a charm. I do encountered some issues (I’m still working on it) on my production PPC Mac, but most of these occur because of stuff and libraries I’ve used in earlier setups. I wish I still had a second PPC Mac just to be able to clean up my production machine !

Just got an email from the Postfix announcement mailinglist telling me that Wietse has released another update. It fixes minor problems and introduces one incompatibility.

• postmap support for NIS maps was broken with Postfix 2.3.
• Workaround to avoid breaking digital signatures for malformed MIME attachments.
• Incorrect handling of ![address] forms in match lists. such as mynetworks, inet_interfaces etc.

from the announcement:

Incompatible changes with Postfix 2.3.7:
Postfix no longer inserts an empty-line header/body separator into malformed MIME attachments, to avoid breaking digital signatures.

This change introduces ambiguity. Postfix still treats the remainder of the attachment as body content; header_checks rules will therefore not detect forbidden MIME types inside a message/rfc822 attachment.

With the empty-line header/body separator no longer inserted by Postfix, other software may process the malformed attachment differently, and thus may become exposed to forbidden MIME types.

I see no problems in our setup for Postfix as we don’t do any header_checks inside Postfix, we only do that in DSpam and that is not affected as far as I can tell.