January 2012

Postfixadmin updated to 2.3.5

The Postfix Admin team have just released PostfixAdmin 2.3.5 which is a security update that fixes some
SQL injections (CVE-2012-0811) and XSS vulnerabilities (CVE-2012-0812). So this is an important update and you are all advised to upgrade as soon as possible. Be warned that backups created with backup.php from 2.3.4 and earlier can contain SQL injections that will be executed when you restore the backup. In other words: Double-check old backups before restoring them!

For reference, here’s the full changelog for 2.3.5:

  • fix SQL injection in pacrypt() (if $CONF[encrypt] == ‘mysql_encrypt’)
  • fix SQL injection in backup.php – the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump.
  • fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
  • fix XSS in some create-domain input fields
  • fix XSS in create-alias and edit-alias error message
  • fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual
  • create-domain: fix SQL injection (only exploitable by superadmins)
  • add missing $LANG['pAdminDelete_admin_error']
  • don’t mark mailbox targets with recipient delimiter as “forward only”
  • wrap hex2bin with function_exists() – PHP 5.3.8 has it as native function

Dovecot updated to 2.0.17

A new version of Dovecot has been released, I’ve installed it on my test servers and production server without a problem. I would advise you to upgrade this time as the SSL stuff is recommended to be used. The noticeable changes are:

  • Proxying now supports sending SSL client certificate to server with ssl_client_cert/key settings.
  • doveadm dump: Added support for dumping dbox headers/metadata.
  • Fixed memory leaks in login processes with SSL connections
  • vpopmail support was broken in v2.0.16

PHP released 5.3.9

The PHP development team released 5.3.9, it is an improvement on the stability and contains some security fixes. I’ve successfully tested it on my servers without a noticeable problem.

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

To see the buglist solved in this release, read them in the ChangeLog.

For instructions on how to upgrade PHP please read: Upgrading PHP.

Mac mini turned 7

This week the Mac mini turned 7 years. Steve introduced this at MacWorld in San Fransisco.

The quote he started with was “Why doesn’t Apple offer a stripped down Mac that is more affordable” and he said “I wish I had a nickel for every time somebody asked me that.”

The mini has evolved greatly since that day. I think it was intended as a cheap desktop replacement to help switchers but has now evolved to be used as a capable server for small and medium sized companies. There are even many companies that use it as there internet presence (I know as I helped a few of them setting it up). Read this blog post at the Macminiolo blog for the increase in performance in these 7 years.

The mini is used for many things, as embedded computer, media player, in-car entertainment system and many more. Just try some google queries. This one is awesome, only not for home use: a 48U rack enclosure to hold 140 mini’s.

The predecessor of this site switch.richard5.net was started a little later as my first Mac mini was bought a few months after the introduction with a 23″ Cinema Display. I started using it as my main machine at home after long exposure to Linux and Windows, it was my first Mac after admiring them from a distance.

I’ve since bought five mini’s and still have 3. A G4 for testing PowerPC Leopard installs, an intel one for testing Snow Leapard and Lion and the last one is located at Macminicolo.net and serving amongst others this site. My current main desktop is an 27″iMac and for sentimental reasons I recently even bought a PowerMac G5. I loved the case and this one was without a scratch, additional this was the first model that was sold using water-cooled CPU’s.