Timo released another bugfix to Dovecot, he hopes it will last for the next few months. I guess he needs more time for the 2.x release which is coming along nicely. Bugs fixed in this issue are:

• maildir: When saving, filenames now always contain ,S=. Previously this was done only when quota plugin was loaded. It’s required for zlib plugin and may be useful for other things too.
• lazy-expunge: Support a single-namespace configuration. If a mailbox is deleted, its messages are merged with its old expunged messages (if there were any).
• expire: Settings now support spaces in mailbox names by using quoted strings.
• maildir: v1.2.7 and v1.2.8 caused assert-crashes in maildir_uidlist_records_drop_expunges()
• maildir_copy_preserve_filename=yes could have caused crashes.
• Maildir++ quota: % limits weren’t updated when limits were read from maildirsize.
• virtual: v1.2.8 didn’t fully fix the “lots of mailboxes” bug
• virtual: Fixed updating virtual mailbox based on flag changes.
• fts-squat: Fixed searching multi-byte characters.

This is a small write-up of the installation I was asked to do for a client on his mini with OS X Server (Leopard). It took me a while to get this working because of the various issiues that I encountered and while googling for a sollution found that there are many people looking for an answer, hence the write-up. Please note that these instructions are not part of the normal documentation set, these instructions only work on OS X Server Leopard and not on the regular OS X Workstation.

First make a copy of the original php module for safekeeping:

sudo cp /usr/libexec/apache2/libphp5.so /usr/libexec/apache2/libphp5.so.apple

Then we need to make some preparations. First of them is get the MySQL include source files and the client libraries as documented in this knowledge base article. Remeber this is only tested on 10.5.x of OS X Server.

Please download http://www.opensource.apple.com/darwinsource/other/MySQL-49.binaries.tar.gz

Unpack and copy the following directories using the following commands:

tar -zxvf MySQL-49.binaries.tar.gz
cd usr/include/
sudo cp -R usr/include/mysql /usr/include/
sudo cp -R usr/lib/mysql /usr/lib/

Next we need to get the iconv library and compile it to get it properly working with PHP. The default iconv library on OS X gives linking errors. You can download it from: http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz and unpack it.

Use the following commands to compile and install it:

export MACOSX_DEPLOYMENT_TARGET=10.6 \
CFLAGS=”-arch x86_64″ \
CXXFLAGS=”-arch x86_64″
./configure –prefix=/usr/local
 
make
 
sudo make install

Next download the source code for the JPEG library from the Freshmeat libjpeg project. I’ve used the source file jpegsrc.v7.tar.gz.

First unpack the source code and then go into the folder “jpeg-7″ for the source and execute the following commands:

cp /usr/share/libtool/config.sub .
cp /usr/share/libtool/config.guess .

Which will copy these files to the current directory. They are required for the configuration fase of this installation.

export MACOSX_DEPLOYMENT_TARGET=10.6
CFLAGS="-arch x86_64" \
CXXFLAGS="-arch x86_64" \
LDFLAGS="-arch x86_64" \
./configure --enable-shared
 
make
 
sudo make install

Next download PHP version 5.2.11 (this is the version installed on OS X Server 10.5.x) unpack it and use the following commands to configure, compile and install it:

export MACOSX_DEPLOYMENT_TARGET=10.6 \
CFLAGS=”-arch x86_64″ \
CXXFLAGS=”-arch x86_64″
./configure –prefix=/usr \
  --mandir=/usr/share/man \
  --infodir=/usr/share/info \
  --disable-dependency-tracking \
  --with-apxs2=/usr/sbin/apxs \
  --with-ldap=/usr \
  --with-kerberos=/usr \
  --enable-cli \
  --with-zlib-dir=/usr \
  --enable-trans-sid \
  --with-xml \
  --enable-exif \
  --enable-ftp \
  --enable-mbstring \
  --enable-mbregex \
  --enable-dbx \
  --enable-sockets \
  --with-iodbc=/usr \
  --with-curl=/usr \
  --with-config-file-path=/etc \
  --sysconfdir=/private/etc \
  --with-openssl \
  --with-xmlrpc \
  --with-xsl=/usr \
  --with-mysql-sock=/var/mysql \
  --with-mysqli=/usr/bin/mysql_config \
  --with-mysql=/usr \
  --with-gd \
  --with-jpeg-dir=/usr/local/lib \
  --with-png-dir=/usr/X11R6 \
  --with-freetype-dir=/usr/X11R6 \
  --with-xpm-dir=/usr/X11R6 \
  --with-iconv=/usr/local \
  --without-pear

Next do not start compiling but we need to edit the Makefile.

Find the line that starts with:

GDLIB_CFLAGS =

and add at the end of the line:

-arch x86_64

The nfind the line that starts with:

EXTRA_LIBS =

and add at the end of this multiline:

-lresolv

Next replace the line:

$(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

with:

$(CC) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(MH_BUNDLE_FLAGS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

Save the file and when your done you can start compiling and installing with:

make
 
sudo make install

This means it’s ready.

Now restart apache and check your site. Now you have a new PHP version with GD on your server.

A new version of Dovecot has been released. It’s just a minor bug fix and not a real security fix. I think that if you are not affected (like running on a server with no other local users) then you are not required to upgrade and can skip this one.

This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot’s auth socket and log in as other users. Gaining root privileges isn’t possible though.

This affects only v1.2 users, v1.1 and older versions were creating the directory with 0755 permission.

If your Dovecot’s base_dir isn’t in /var/run/dovecot/, you should also make sure that the $prefix/var/ and $prefix/var/run/ (i.e. /usr/local/var/, /usr/local/var/run/ by default) aren’t 0777.

The fixes include:

• Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir’s permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
• acl: If user has rights from more than one group, merge them instead of choosing one group’s rights and ignoring others.
• virtual: When using a lot of mailboxes, the virtual mailbox’s header could have grown over 32 kB and caused “out of memory” crashes. Also over 64 kB headers couldn’t even be updated with existing transaction log records. Added a new record type that gets used with >=64 kB headers. Older Dovecot versions don’t understand this header and will log errors if they see it.
• FETCH BODYSTRUCTURE didn’t return RFC 2231 “key*” fields correctly

The PHP development team released a new version of the 5.3.x release. Before you upgrade to a 5.3.x release on a production machine, please check if all PHP based apps are supporting 5.3.x as there are some compatibility problems and you might get some strange results. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. I’ve tested it on a test server with Snow Leopard without any problems.

Security Enhancements and Fixes in PHP 5.3.1:

• Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
• Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
• Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
• Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
• Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559, Johannes, christian at elmerot dot se)
• Fixed bug #44683 (popen crashes when an invalid mode is passed). (CVE-2009-3294, Pierre)

Key Enhancements in PHP 5.3.1 include:

• Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
• Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
• Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
• Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
• Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
• Around 100 other bug fixes

For instructions on how to upgrade PHP please read: Upgrading PHP.

MySQL released new versions of the 5.1.x and 5.0.x community versions of their database server. There is a security issue releated to them so if you are affected I would advise you to upgrade. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for each release here:

• Changes in MySQL 5.1.41
• Changes in MySQL 5.0.88

Warning, be careful when updating your server. I noticed a few hick-ups on my machine. I will update this post with my findings through the day when I find out more.

Leopard Issues:

• Resolved: My remote desktop isn’t working anymore, still looking into this one. Solution: It somehow works again after some time waiting, probably I was trying to fast

Working: Everything else does not look to be affected, even Postfix is as is (in contrast to Snow Leopard)

Snow Leopard issues:

• Postfix binary get’s replaced, you’ll have to do a ’sudo make install’ from the last install direcory to get it working again.

For the rest on Snow Leopard everything seems to be working as intended. Will do some more test during the day.

Read more about the update to 10.6.2 here and the security update 2009-006 here.

If you find anything please let us know in the comments and I will try to verify.

Update: No more problems found, I guess it was just a postfix problem and as Joe has commented I need to change the location to prevent future issues.

The people at the Roundcube project have been busy, they have released an updated which should fix a lot of bugs according to their statements:

This update release fixes lots of bugs and improves the file upload when composing a mail message. Also some of the plugins have been improved and translated into more languages.

I’ve been using 0.3 for some time now and I haven’t encountered any of the bugs, I would almost say it’s feels like a proper solid release and not a 0.x version. If you want to know what’s updated have a look at the changelog.

MySQL released new versions of the 5.1.x and 5.0.x community version of the database server. As far as I could tell they are bugfix releases and there is no security issue releated to them. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for each release here:

• Changes in MySQL 5.1.40
• Changes in MySQL 5.0.87

Sorry, but I somehow missed this one completely and no one of you told me as well. But it is forgivable as version 0.2 is working like a charm. I’ve installed it on my production server as soon as I noticed the upgrade expecting a lot of changes, but most of the GUI is still the same there are only changes to the settings page. Most of the changes are under the hood improving speed and responsiveness and also fixing some of the issues that were still outstanding.

My advice, upgrade as soon as possible. Download the latest version from here.

To upgrade roundcube, if you’ve used the DIYMacServer provided installation instructions, and if you are upgrading from 0.2 stable are:

Extract the 0.3 archive into '/Library/WebServer/Documents'. Create new copies of the configuration files and edit them to reflect the same settings as in the 0.2 installation.

CD into the new extracted directory and make the temp and log folder writeable for Apache with the following commands:

chown -R _www:_www temp
chown -R _www:_www logs

Remove the original ’roundcubemail’ symbolic link in '/Library/WebServer/Documents' and create a new one:

sudo ln -s /Library/WebServer/Documents/roundcubemail.0.3 /Library/WebServer/Documents/roundcubemail

That’s it.

A new version of Dovecot has been released a few days ago but I’ve only been able to test it in the last few days. Sorry, my day job is getting a bit hecktic at the moment and is eating in my personal time.

There is mention of moving o a 2.0 version in a few weeks. I hope to have that ready and tested as soon as possible.

Here is a list of the changes:

• Upgraded to Unicode 5.2.0
• Added authtest utility for doing passdb and userdb lookups.
• login: ssl_security string now also shows the used compression.
• quota: Don’t crash with non-Maildir++ quota backend.
• imap proxy: Fixed crashing with some specific password characters.
• dovecot –exec-mail was broken.
• Avoid assert-crashing when two processes try to create index at the same time.

Update: There is a small issue when compiling this version on Leopard. It’s has to do with the fact that Leopard is using an older version (0.7.8) of OpenSSL than Snow Leopard (using 0.9.8).

The error will show itself during the make fase of the build. You would see errors like:

Undefined symbols:
“_SSL_get_current_compression”, referenced from:
_ssl_proxy_get_security_string in liblogin-common.a(ssl-proxy-openssl.o)
“_SSL_COMP_get_name”, referenced from:
_ssl_proxy_get_security_string in liblogin-common.a(ssl-proxy-openssl.o)
ld: symbol(s) not found

You can solve it by downloading and applying this fix, execute the following commands from the 1.2.6 source directory:

curl "http://hg.dovecot.org/dovecot-1.2/raw-file/4add5c3f13ea/configure.in" \
-o ./configure.in
 
curl "http://hg.dovecot.org/dovecot-1.2/raw-file/4add5c3f13ea/src/login-common/ssl-proxy-openssl.c" \
-o ./src/login-common/ssl-proxy-openssl.c

Then run the normal ./configure and make statements from the regular install instructions.