Kolab Security Issue 11 20061002
================================
Package: openssl
Vulnerability: denial of service
Kolab Specific: no
Dependent Packages: apache curl imap imapd openldap perl
perl-crypto
php postfix proftpd
Summary
-------
According to a vendor security advisory, four security
issues were
discovered in the cryptography toolkit OpenSSL: two denial
of service
attacks when parsing ASN.1 structures, a buffer overflow
when processing
a list of ciphers and an ssl client crash.
Affected Versions
-----------------
OpenPKG packages of openssl-0.9.8a-2.5.2 or earlier are
affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch
as well as
Kolab Server 2.1 beta 2 and previous releases of the 2.1
branch are
affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl
Fixes
-----
Note: The fix described here is for Kolab server 2.0.4 and
2.1 beta 2.
If you still run an older version, please upgrade to 2.0.1
or 2.1 beta 2
depending on the branch you are using.
Updated OpenPKG package for openssl are available from the
usual kolab
mirrors under the directory security-updates/20061002/ .
While the
mirrors are catching up, you can also get the files via
rsync:
# rsync -tzvr
rsync://rsync.kolab.org/kolab/server/security-updates/200610
02/ .
Under that directory you'll find the following directory
tree:
./2.0/sources/
./2.0/ix86-debian3.1/
./2.0/ix86-debian3.0/
./2.1/sources/
./2.1/ix86-debian3.1/
There is one branch for the Kolab server 2.0 updates and one
for the 2.1
updates. In each branch is a sources directory and one or
more binary
directories.
If you installed the Kolab server from sources, download the
sources
directory for your kolab server branch. If you installed
from binaries,
download the appropriate binaries directory for your kolab
server
branch.
All directories contain the new OpenSSL package plus obmtool
and
obmtool.conf files like a kolab release. In addition, the
binaries
directories contain updated binaries of the dependent
packages.
In any case, download all files in the appropriate
directory, chdir into
the downloaded directory and run
/kolab/bin/openpkg rc all stop
./obmtool kolab
This will install the new openssl package and
rebuild/reinstall the
dependent packages. Afterwards start the server again,
making sure to
regenerate the config files as you would for a normal Kolab
server
update.
For the Kolab server 2.1 branch, the upgrade of the postfix
RPM requires
an additional manual step. After the upgrade, the
permissions of some
files in /kolab/etc/postfix are wrong and some .db files are
missing.
An easy way to fix this after running kolabconf is to run
the following
commands (as root):
cd /kolab/etc/postfix
chown root:kolab transport virtual
make
Details
-------
http://www.openpkg.org/security/advis
ories/OpenPKG-SA-2006.021-openssl.html
OpenPKG Security Advisory OpenPKG-SA-2006.021
http:
//www.openssl.org/news/secadv_20060928.txt
OpenSSL Security Advisory on the vendor's site
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
6-2937
Common Vulnerabilities and Exposures (CVE): CAN-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
6-2940
Common Vulnerabilities and Exposures (CVE): CAN-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
6-3738
Common Vulnerabilities and Exposures (CVE): CAN-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
6-4343
Common Vulnerabilities and Exposures (CVE): CAN-2006-4343
Timeline
--------
20060928 OpenSSL vendor released patch and new versions
containing the fix
20060928 OpenPKG created new package containing the fix
20061002 Kolab update and security advisory published
_______________________________________________
Kolab-announce mailing list
Kolab-announce kolab.org
htt
ps://kolab.org/mailman/listinfo/kolab-announce |