July 2010

Dovecot updated to 1.2.13

Again a new version of Dovecot is released. As far as I can tell it’s just a bug fix release (mostly concerning ACL’s) and not a security fix. I think that if you are not affected then you are not required to upgrade and can skip this one. But sometimes it’s better to be safe then sorry.

Now I’ve got my production server running Dovecot (finally) and can tell you that it really rocks and I performed the upgrade without any problem. Just configure, compile and install as per instructions and then kill the current running dovecot process. The new version should start automatically.

Just an small remark, just saw in my WordPress dashboard before posting this, that I’ve passed the 200 blogposts on this blog. That is excluding the 134 pages (the actual documentation) and the 920 comments (which I tend to prune every now and then to keep them relevant).

Mysql released 5.1.49

For everyone who is using to a 5.1.x version. This is a bug fix release and it is up to you if you want to upgrade. Check all the fixes and changes that are listed on the release notes to see what issues are resolved and if you are affected. Most of them are about replication which we don’t use in our setup. If you are still using a 5.0.x version I would urge you to plan a upgrade to a 5.1.x version.

I’ve compiled this version and did some simple tests on my servers and it worked without any problems.

Read the documentation on how to ugrade MySQL.

PHP released 5.3.3, has small issue

The PHP development team released a new version of the 5.3.x release. Before you upgrade to a 5.3.x release on a production machine, please check if all PHP based apps are supporting 5.3.x as there are some compatibility problems and you might get some strange results. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. This version introduces a new incompatible change with older versions of 5.3.x which affect the use of namespaces.

During compilations tests I’ve discovered some problems which made it impossible to use it with the mysqli module. The error you would get is:

In file included from /Users/richard/php-5.3.3/ext/mysqli/php_mysqli_structs.h:57,
from /Users/richard/php-5.3.3/ext/mysqli/mysqli.c:33:
/usr/local/mysql/include/mysql/my_global.h:1008: error: duplicate ‘unsigned’
/usr/local/mysql/include/mysql/my_global.h:1008: warning: useless type name in empty declaration
make: *** [ext/mysqli/mysqli.lo] Error 1

I’d twittered about it and got a prompt response from Rasmus Lerdorf with a patch which resolves the problem. if you apply the patch before compiling everything will be fine. I would expect that the people at PHP will release an update within a few days.

The problems, bugs and security enhancements which were introduced in 5.3.3 you can read about them in the ChangeLog.

For instructions on how to upgrade PHP please read: Upgrading PHP.

PHP updated to 5.2.14

The PHP development team have released PHP 5.2.14. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of the PHP 5.2.x branch are encouraged to upgrade to this release. I’ve tested this on my test servers and it works without a problem. The biggest security enhancements and fixes in PHP 5.2.14 are:

Security Enhancements and Fixes in PHP 5.2.14:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs.
  • Fixed a possible interruption array leak in strrchr().(CVE-2010-2484)
  • Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed a possible stack exaustion inside fnmatch().
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski.

Key enhancements in PHP 5.2.14 include:

  • Upgraded bundled PCRE to version 8.02.
  • Updated timezone database to version 2010.5.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52237 (Crash when passing the reference of the property of a non-object).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #51822 (Segfault with strange __destruct() for static class variables).
  • Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues).
  • Fixed bug #49267 (Linking fails for iconv on MacOS: “Undefined symbols: _libiconv”).

For a full list of changes in PHP 5.2.14 see the ChangeLog.

For instructions on how to upgrade PHP please read: Upgrading PHP.

Next step in the migration

Had some time to spare today so a bit quicker then anticipated here is step 2 in the migration from Courier to Dovecot. In this step we move away from Courier-Auth to the Dovecot built in authentication module for the Postfix SASL SMTP authentication.

Read on for more information on step 2 for the migration.

Next Page »