inet_interfaces = localhost

from “/etc/postfix/main.cf”

Try to migrate as soon as possible to the new setup to save you from future problems with the next security update.

The funny thing is that when you read the content of the security update details you will see that if you followed our update strategy you will use more recent stuff for your web and mail server then is included in this update. Example: After the update you will have Apache 2.2.21 while we are on 2.2.22 and the buid in PHP will be updated to 5.3.8 while we are on 5.3.10. This proves my point that you are better of doing this kind of stuff yourself without waiting for Apple or someone else to provide you with the updates.

Here you don’t even need me, I only help in the testing and eventual problem fixing if something goes wrong…

• Fixed arbitrary remote code execution vulnerability reported by
  Stefan Esser, CVE-2012-0830.

To see the buglist solved in this release, read them in the ChangeLog.

For instructions on how to upgrade PHP please read: Upgrading PHP.

• SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations.
• SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.
• SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations.
• SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the ‘%{cookiename}C’ log format string is in use and a client sends a nameless, valueless cookie, causing
  a denial of service. The issue existed since version 2.2.17.
• SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly.
• SECURITY: CVE-2012-0053 (cve.mitre.org) Fixed an issue in error responses that could expose “httpOnly” cookies when no custom ErrorDocument is specified for status code 400.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

For reference, here’s the full changelog for 2.3.5:

• fix SQL injection in pacrypt() (if $CONF[encrypt] == ‘mysql_encrypt’)
• fix SQL injection in backup.php – the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump.
• fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
• fix XSS in some create-domain input fields
• fix XSS in create-alias and edit-alias error message
• fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual
• create-domain: fix SQL injection (only exploitable by superadmins)
• add missing $LANG['pAdminDelete_admin_error']
• don’t mark mailbox targets with recipient delimiter as “forward only”
• wrap hex2bin with function_exists() – PHP 5.3.8 has it as native function

• Proxying now supports sending SSL client certificate to server with ssl_client_cert/key settings.
• doveadm dump: Added support for dumping dbox headers/metadata.
• Fixed memory leaks in login processes with SSL connections
• vpopmail support was broken in v2.0.16

Security Enhancements and Fixes in PHP 5.3.9:

• Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
• Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

• Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
• Fixed bug #55609 (mysqlnd cannot be built shared)
• Many changes to the FPM SAPI module

To see the buglist solved in this release, read them in the ChangeLog.

For instructions on how to upgrade PHP please read: Upgrading PHP.

The mini has evolved greatly since that day. I think it was intended as a cheap desktop replacement to help switchers but has now evolved to be used as a capable server for small and medium sized companies. There are even many companies that use it as there internet presence (I know as I helped a few of them setting it up). Read this blog post at the Macminiolo blog for the increase in performance in these 7 years.

The mini is used for many things, as embedded computer, media player, in-car entertainment system and many more. Just try some google queries. This one is awesome, only not for home use: a 48U rack enclosure to hold 140 mini’s.

The predecessor of this site switch.richard5.net was started a little later as my first Mac mini was bought a few months after the introduction with a 23″ Cinema Display. I started using it as my main machine at home after long exposure to Linux and Windows, it was my first Mac after admiring them from a distance.

I’ve since bought five mini’s and still have 3. A G4 for testing PowerPC Leopard installs, an intel one for testing Snow Leapard and Lion and the last one is located at Macminicolo.net and serving amongst others this site. My current main desktop is an 27″iMac and for sentimental reasons I recently even bought a PowerMac G5. I loved the case and this one was without a scratch, additional this was the first model that was sold using water-cooled CPU’s.

With this release Roundcube also passes the email standards project’s acid test. See http://www.email-standards.org/acid-test

I would advise you that if you use Roundcube please upgrade to this version. Here is a document on how to upgrade.

Comment from Timo on this release was:

I only now noticed that the VSZ limits weren’t being enforced with earlier v2.0.x releases (or they were set 1024 times too high). So if a Dovecot process was leaking memory, it wasn’t being killed by kernel. Now that this enforcing is done, some installations will probably start seeing errors about reaching these limits in normal operation. The default_vsz_limit is 256 MB. You may want to increase it in larger installations to 1 GB just in case.

Besides the changes listed below, a lot of smaller fixes were done.

A list of the bigger fixes:

• VSZ limits weren’t being enforced for any processes. On server with large mailboxes you may now see errors about it if the limits aren’t high enough. To fix them, either increase individual service { vsz_limit } values or simply increase the default_vsz_limit setting.
• Proxying: If using ssl=yes or starttls=yes with a hostname (not IP) as proxy destination, require that the certificate matches the given hostname.
• LMTP: Changed default client_limit to 1. This should improve LMTP throughput with default settings.
• dsync: Quota is no longer enforced (i.e. dsync can’t fail because user is over quota).
• Added “auto” mail storage driver, which can be used to auto detect mailbox location and format. This behavior is already the default for empty mail_location setting, so this change is mainly useful for shared namespace’s location setting.
• checkpassword: Export all auth %variables to AUTH_* environment.

• The postscreen daemon, which is not enabled by default, sent non-compliant SMTP responses (220- followed by 421) when it could not give a connection to a real smtpd process. These responses caused some remote SMTP clients to return mail as undeliverable.

  The workaround is to hang up after sending 220- without sending the 421 “sorry” reply; this is harmless.

  The complete fix involves too much change for a stable release: send the 220 greeting, wait for the EHLO command, then send the 421 “sorry” reply and hang up.

Howto upgrade postfix.