-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 11 20061002 ================================ Package: openssl Vulnerability: denial of service Kolab Specific: no Dependent Packages: apache curl imap imapd openldap perl perl-crypto php postfix proftpd Summary - ------- According to a vendor security advisory, four security issues were discovered in the cryptography toolkit OpenSSL: two denial of service attacks when parsing ASN.1 structures, a buffer overflow when processing a list of ciphers and an ssl client crash. Affected Versions - ----------------- OpenPKG packages of openssl-0.9.8a-2.5.2 or earlier are affected. Kolab Server 2.0.4 and previous releases of the 2.0 branch as well as Kolab Server 2.1 beta 2 and previous releases of the 2.1 branch are affected. You can check the installed version with: /kolab/bin/openpkg rpm -q openssl Fixes - ----- Note: The fix described here is for Kolab server 2.0.4 and 2.1 beta 2. If you still run an older version, please upgrade to 2.0.4 or 2.1 beta 2 depending on the branch you are using. Updated OpenPKG package for openssl are available from the usual kolab mirrors under the directory security-updates/20061002/ . While the mirrors are catching up, you can also get the files via rsync: # rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20061002/ . Under that directory you'll find the following directory tree: ./2.0/sources/ ./2.0/ix86-debian3.1/ ./2.0/ix86-debian3.0/ ./2.1/sources/ ./2.1/ix86-debian3.1/ There is one branch for the Kolab server 2.0 updates and one for the 2.1 updates. In each branch is a sources directory and one or more binary directories. If you installed the Kolab server from sources, download the sources directory for your kolab server branch. If you installed from binaries, download the appropriate binaries directory for your kolab server branch. All directories contain the new OpenSSL package plus obmtool and obmtool.conf files like a kolab release. In addition, the binaries directories contain updated binaries of the dependent packages. In any case, download all files in the appropriate directory, chdir into the downloaded directory and run /kolab/bin/openpkg rc all stop ./obmtool kolab This will install the new openssl package and rebuild/reinstall the dependent packages. Afterwards start the server again, making sure to regenerate the config files as you would for a normal Kolab server update. For the Kolab server 2.1 branch, the upgrade of the postfix RPM requires an additional manual step. After the upgrade, the permissions of some files in /kolab/etc/postfix are wrong and some .db files are missing. An easy way to fix this after running kolabconf is to run the following commands (as root): cd /kolab/etc/postfix chown root:kolab transport virtual make Details - ------- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html OpenPKG Security Advisory OpenPKG-SA-2006.021 http://www.openssl.org/news/secadv_20060928.txt OpenSSL Security Advisory on the vendor's site http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 Common Vulnerabilities and Exposures (CVE): CAN-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 Common Vulnerabilities and Exposures (CVE): CAN-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 Common Vulnerabilities and Exposures (CVE): CAN-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 Common Vulnerabilities and Exposures (CVE): CAN-2006-4343 Timeline - -------- 20060928 OpenSSL vendor released patch and new versions containing the fix 20060928 OpenPKG created new package containing the fix 20061002 Kolab update and security advisory published -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFIkALh9ag3dpKERYRAuPBAJ9F9WoPFDVUjecfQTQpLk0cULzowQCfT6K1 MXFi0VGEpWLldAlndKb2vcw= =bX/R -----END PGP SIGNATURE-----