Kolab Security Issue 12 20061009
================================
Package: openssl
Vulnerability: denial of service, may allow execution
of arbitrary code
Kolab Specific: no
Dependent Packages: apache curl imap imapd openldap perl
perl-crypto
php postfix proftpd
Summary
~~~~~~~
The openssl package for the Kolab Server 2.0 branch from the
previous
Kolab Security Issue, No. 11 from 20061002, introduced a new
problem
together with the fix for CVE-2006-2940. The new problem is
the
possible use of an uninitialized local variable which may
lead to
program crashes and may allow execution of arbitrary code.
Affected Versions
~~~~~~~~~~~~~~~~~
The updated RPMs from Kolab Security Issue 11 for the Kolab
Server 2.0
are affected. More specifically, it affects the
openssl-0.9.7l-20061002_kolab RPM and dependent packages.
The updated RPMs for the Kolab Server 2.1 branch are NOT
affected. The
openssl RPM from OpenPKG used for that branch already
contains the fix
for the new problem.
Fixes
~~~~~
Note: The fix described here is for Kolab Server 2.0.4. If
you still
run an older version, please upgrade to 2.0.4 first. You do
not need to
apply Kolab Security Issue 11 because this update completely
replaces
it.
An updated OpenPKG package for openssl is available from the
usual kolab
mirrors under the directory security-updates/20061009/ .
While the
mirrors are catching up, you can also get the files via
rsync:
# rsync -tzvr
rsync://rsync.kolab.org/kolab/server/security-updates/200610
09/ .
Under that directory there is one directory with the new
source RPMs
(sources/) and one with updated RPMs for Debian sarge
(ix86-debian3.1)
If you installed the Kolab Server from sources, download the
sources
directory for your kolab Server branch. If you installed
from binaries,
download the appropriate binaries directory for your Kolab
Server
branch.
Both directories contain the new OpenSSL package plus
obmtool and
obmtool.conf files like a Kolab release. In addition, the
binary
directory contains updated binaries of the dependent
packages.
In any case, download all files in the appropriate
directory, chdir into
the downloaded directory and run
/kolab/bin/openpkg rc all stop
./obmtool kolab
This will install the new openssl package and
rebuild/reinstall the
dependent packages. Afterwards start the server again,
making sure to
regenerate the config files as you would for a normal Kolab
Server
update.
Details
~~~~~~~
http://kolab.org/security/kolab-vendor-notice-11.txt
Kolab Security Notice 11 with the updates
http://www.openpkg.org/security/advis
ories/OpenPKG-SA-2006.021-openssl.html
OpenPKG Security Advisory OpenPKG-SA-2006.021
http:
//www.openssl.org/news/secadv_20060928.txt
OpenSSL Security Advisory on the vendor's site
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
6-2940
Common Vulnerabilities and Exposures (CVE): CAN-2006-2940
Timeline
~~~~~~~~
20060928 OpenSSL vendor released patch and new versions
containing the fix
20060928 OpenPKG created new package containing the fix
20061002 Kolab update and security advisory 11 published
20061009 Kolab update and security advisory 12 published
_______________________________________________
Kolab-announce mailing list
Kolab-announce kolab.org
htt
ps://kolab.org/mailman/listinfo/kolab-announce |