Important: Security Alert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Those of you who are subscribed to network security lists
may have
received word today about a security vulnerability in Maia
Mailguard,
discovered by the folks at Netragard.  See
<http://archives.neohapsis.com/archives/bugtr
aq/2007-07/0041.html> for
details of their advisory, and our Ticket #479
<htt
p://www.maiamailguard.org/maia/ticket/479>.

The exploit they discovered has been confirmed on a number
of Maia
installations, but many others appear to be immune and it's
not entirely
clear yet what differences are responsible.  Based on an
admittedly
small sample set of test cases, the vulnerable systems seem
to be
running FreeBSD, while the Linux systems we've tested seem
to be
unaffected.  Neither David nor I could duplicate the exploit
on our
servers, but Netragard was able to point us to a number of
other Maia
installations where the exploit was evidently successful. 
More testing
is required to get to the bottom of this, but since the
folks at
Netragard have gone ahead and released their advisory (and
exploit
details), it's vital that all Maia installations install the
small patch
in Changeset 1184 as soon as possible, before nefarious
parties make use
of the exploit:

<http://www.maiamailguard.org/maia/c
hangeset/1184?format=diff&new=1184>

Applying this patch is the right thing to do even if your
system seems
immune to this exploit; it tightens the security of Maia's
web GUI in
ways that should prevent other similar exploits.

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGjfL3GmqOER2NHewRAmejAKCOhw143Bh6+/m97h5oEQDkRpnSoQCc
DypC
j9A4qDO9ib9QKU0UxTyeKFY=
=rrMJ
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Robert LeBlanc wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Those of you who are subscribed to network security
lists may have
> received word today about a security vulnerability in
Maia Mailguard,
> discovered by the folks at Netragard.  See
> <http://archives.neohapsis.com/archives/bugtr
aq/2007-07/0041.html> for
> details of their advisory, and our Ticket #479
> <htt
p://www.maiamailguard.org/maia/ticket/479>.
>
> The exploit they discovered has been confirmed on a
number of Maia
> installations, but many others appear to be immune and
it's not entirely
> clear yet what differences are responsible.  Based on
an admittedly
> small sample set of test cases, the vulnerable systems
seem to be
> running FreeBSD, while the Linux systems we've tested
seem to be
> unaffected.  Neither David nor I could duplicate the
exploit on our
> servers, but Netragard was able to point us to a number
of other Maia
> installations where the exploit was evidently
successful.  More testing
> is required to get to the bottom of this, but since the
folks at
> Netragard have gone ahead and released their advisory
(and exploit
> details), it's vital that all Maia installations
install the small patch
> in Changeset 1184 as soon as possible, before nefarious
parties make use
> of the exploit:
>
> <http://www.maiamailguard.org/maia/c
hangeset/1184?format=diff&new=1184>
>
> Applying this patch is the right thing to do even if
your system seems
> immune to this exploit; it tightens the security of
Maia's web GUI in
> ways that should prevent other similar exploits

This is kinda off-topic so forgive me if it's
inappropriate.
We have an old installation running, I'm not exactly sure
which version 
but index.php says this:
"* $Id: index.php,v 1.1.1.2 2004/05/14 11:13:52 rjl Exp
$"

Now my question is: This installation is running a custom
template, if I 
upgrade to the latest release, will that template still work
or do I 
have to redo it ? (That's not really an option, I don't have
time for it..)

On-topic: thanks for the quick fix!

-- 
Erik
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erik Weber wrote:

> We have an old installation running, I'm not exactly
sure which version 
> but index.php says this:
> "* $Id: index.php,v 1.1.1.2 2004/05/14 11:13:52
rjl Exp $"
> 
> Now my question is: This installation is running a
custom template, if I 
> upgrade to the latest release, will that template still
work or do I 
> have to redo it ? (That's not really an option, I don't
have time for it..)

If by "template" you mean "theme", the
theme system hasn't changed much
since it was first introduced--which is to say that it still
uses Smarty
templates.  A few new interface items have been added over
the years
however, and your old custom templates won't be aware of
these new
items.  In other words, your old templates will probably
work, but they
may be missing access to some of the newer functionality,
particularly
since the version you're using looks to be 3 years old 

Adapting your custom templates to newer versions of Maia
shouldn't be
that difficult, however.  If you download the current
release and take a
look at the default themes you'll likely find that there
aren't many new
interface items to add to your templates.  You shouldn't
have to "redo"
your custom templates, you'd just have to add a couple of
extra
interface items to them here or there.

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGjhUmGmqOER2NHewRAvGcAJkB+r/shOc0fX/x02kFjSrCKNsIVQCe
OzKv
vC4ke6fHvhtiFvctY3jWqcU=
=iniu
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Le Fri, Jul 06, 2007 at 12:44:55AM -0700, Robert LeBlanc a
écrit:
> <http://www.maiamailguard.org/maia/c
hangeset/1184?format=diff&new=1184>

Doesn't apply cleanly here, on a 1.0.2 with no
modifications...

aslcitron ~ $ wget 
http://www.maiamailguard.org/files/maia-1.0.2.tar.gz
aslcitron ~ $ wget 'http://www.maiamailguard.org/maia/chang
eset/1184?format=diff&new=1184' -O patch-secu
aslcitron ~ $ tar xfz maia-1.0.2.tar.gz 
aslcitron ~ $ cd maia-1.0.2
aslcitron ~/maia-1.0.2 $ patch -p3 <../patch-secu 
patching file php/xlogin.php
Hunk #1 FAILED at 86.
1 out of 1 hunk FAILED -- saving rejects to file
php/xlogin.php.rej
patching file php/login.php
Hunk #1 succeeded at 81 with fuzz 2.
Hunk #2 FAILED at 90.
Hunk #3 FAILED at 115.
2 out of 3 hunks FAILED -- saving rejects to file
php/login.php.rej
patching file php/internal-init.php
Hunk #1 FAILED at 87.
Hunk #2 FAILED at 98.
2 out of 2 hunks FAILED -- saving rejects to file
php/internal-init.php.rej


	Arnaud.
-- 
Perso: http://launay.org/blog/
Hébergement: http://www.nocworld.com/


_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Robert LeBlanc wrote:
> Those of you who are subscribed to network security
lists may have
> received word today about a security vulnerability in
Maia Mailguard,
> discovered by the folks at Netragard.  See
> <http://archives.neohapsis.com/archives/bugtr
aq/2007-07/0041.html> for
> details of their advisory, and our Ticket #479
> <htt
p://www.maiamailguard.org/maia/ticket/479>.
> 
> The exploit they discovered has been confirmed on a
number of Maia
> installations, but many others appear to be immune and
it's not entirely
> clear yet what differences are responsible.  Based on
an admittedly
> small sample set of test cases, the vulnerable systems
seem to be
> running FreeBSD, while the Linux systems we've tested
seem to be
> unaffected.  Neither David nor I could duplicate the
exploit on our
> servers, but Netragard was able to point us to a number
of other Maia
> installations where the exploit was evidently
successful.  More testing
> is required to get to the bottom of this, but since the
folks at
> Netragard have gone ahead and released their advisory
(and exploit
> details), it's vital that all Maia installations
install the small patch
> in Changeset 1184 as soon as possible, before nefarious
parties make use
> of the exploit:
> 
> <http://www.maiamailguard.org/maia/c
hangeset/1184?format=diff&new=1184>
> 
> Applying this patch is the right thing to do even if
your system seems
> immune to this exploit; it tightens the security of
Maia's web GUI in
> ways that should prevent other similar exploits.

wouldn't be useful in this case to release 1.0.3 as a
security fix release?

-- 
  Levente                               "Si vis pacem
para bellum!"
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Le Fri, Jul 06, 2007 at 01:59:48PM +0200, Erik Weber a
écrit:
> >><http://www.maiamailguard.org/maia/c
hangeset/1184?format=diff&new=1184>
> >Doesn't apply cleanly here, on a 1.0.2 with no
modifications..
> I just redid your steps and it worked like a charm
> erikw-linux:~/maia-1.0.2$ patch -p3 <../patch-secu
> (Stripping trailing CRs from patch.)
> patching file php/xlogin.php
> (Stripping trailing CRs from patch.)
> patching file php/login.php
> (Stripping trailing CRs from patch.)
> patching file php/internal-init.php

Just redid it on another machine, still the same thing...

aslnw1 ~/maia-1.0.2 $ patch --version
patch 2.5.9

Hmm..

Nope, same thing on an old redhat (the two others are
gentoo)

adelscott:~/maia-1.0.2$ patch --version
patch 2.5

Aaaaaaaaaah !

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196297
It's corrected in Debian, still in unstable on gentoo.

dos2unix patch-secu
does the trick...

	Arnaud.
-- 
Perso: http://launay.org/blog/
Hébergement: http://www.nocworld.com/

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Le vendredi 06 juillet 2007 à 00:44 -0700, Robert LeBlanc a
écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Those of you who are subscribed to network security
lists may have
> received word today about a security vulnerability in
Maia Mailguard,
> discovered by the folks at Netragard.  See
> <http://archives.neohapsis.com/archives/bugtr
aq/2007-07/0041.html> for
> details of their advisory, and our Ticket #479
> <htt
p://www.maiamailguard.org/maia/ticket/479>.
> 
> The exploit they discovered has been confirmed on a
number of Maia
> installations, but many others appear to be immune and
it's not entirely
> clear yet what differences are responsible.  Based on
an admittedly
> small sample set of test cases, the vulnerable systems
seem to be
> running FreeBSD, while the Linux systems we've tested
seem to be
> unaffected.  Neither David nor I could duplicate the
exploit on our
> servers, but Netragard was able to point us to a number
of other Maia
> installations where the exploit was evidently
successful.  More testing
> is required to get to the bottom of this, but since the
folks at
> Netragard have gone ahead and released their advisory
(and exploit
> details), it's vital that all Maia installations
install the small patch
> in Changeset 1184 as soon as possible, before nefarious
parties make use
> of the exploit:
> 
> <http://www.maiamailguard.org/maia/c
hangeset/1184?format=diff&new=1184>
> 
> Applying this patch is the right thing to do even if
your system seems
> immune to this exploit; it tightens the security of
Maia's web GUI in
> ways that should prevent other similar exploits.

Robert, 

you should provide patch that applies to specific versions,
and not only
to the main trunk.

For the mass, it's not possible to manually patch files,
since we
(runners of a release) cannot apply it.

I'm working now to make a patched 1.0.2 version.

-- 
        Alexandre

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

Le vendredi 06 juillet 2007 à 15:17 +0200, Alexandre
Ghisoli a écrit :

> Robert, 
> 
> you should provide patch that applies to specific
versions, and not only
> to the main trunk.
> 
> For the mass, it's not possible to manually patch
files, since we
> (runners of a release) cannot apply it.
> 
> I'm working now to make a patched 1.0.2 version.
> 

Ok, got it;

the changeset contain ^M at end of line ! (CR LF)

-- 
        Alexandre

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jul 6, 2007, at 8:17 AM, Alexandre Ghisoli wrote:

>
> For the mass, it's not possible to manually patch
files, since we
> (runners of a release) cannot apply it.


Interesting. I didn't think that code had changed any.

One other recommended option would be to run the 1.0 stable
branch -  
it's the development track towards 1.0.3 and is kept stable;
all new  
features are going into trunk.

We'll see if we can get some patches out too.


David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGjl8YUy30ODPkzl0RAlzaAJwOMm01yUpjGW1KEeAfvSrJA2JKRgCg
r39I
vr72GklzZcZC3BZ9SKtGWH8=
=wufS
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jul 6, 2007, at 5:20 AM, Arnaud Launay wrote:

> Le Fri, Jul 06, 2007 at 12:44:55AM -0700, Robert
LeBlanc a écrit:
>> <htt
p://www.maiamailguard.org/maia/changeset/1184? 
>> format=diff&new=1184>
>
> Doesn't apply cleanly here, on a 1.0.2 with no
modifications...
>
> aslcitron ~ $ wget http://www.maiama
ilguard.org/files/ 
> maia-1.0.2.tar.gz
> aslcitron ~ $ wget 'http://w
ww.maiamailguard.org/maia/changeset/ 
> 1184?format=diff&new=1184' -O patch-secu
> aslcitron ~ $ tar xfz maia-1.0.2.tar.gz
> aslcitron ~ $ cd maia-1.0.2
> aslcitron ~/maia-1.0.2 $ patch -p3 <../patch-secu
> patching file php/xlogin.php
> Hunk #1 FAILED at 86.
> 1 out of 1 hunk FAILED -- saving rejects to file
php/xlogin.php.rej
> patching file php/login.php
> Hunk #1 succeeded at 81 with fuzz 2.
> Hunk #2 FAILED at 90.
> Hunk #3 FAILED at 115.
> 2 out of 3 hunks FAILED -- saving rejects to file
php/login.php.rej
> patching file php/internal-init.php
> Hunk #1 FAILED at 87.
> Hunk #2 FAILED at 98.
> 2 out of 2 hunks FAILED -- saving rejects to file
php/internal- 
> init.php.rej
>


works for me....

dhd:~/workspace/maia-1.0.2 dgm$ patch -p3 <
changeset_r1184.diff
(Stripping trailing CRs from patch.)
patching file php/xlogin.php
(Stripping trailing CRs from patch.)
patching file php/login.php
(Stripping trailing CRs from patch.)
patching file php/internal-init.php



I think somehow either the web server is sending or the web
browser  
is converting to DOS style line endings... and some versions
of patch  
can handle it.






David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGjmOeUy30ODPkzl0RApH8AKCbxNBx0qZHoTXUCZzC+Pd8pwK1BACf
cRs+
y9HbP3cjHvwMydkdlAnjqMI=
=rHBI
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users