From bh at intevation.de Fri Jan 6 18:58:09 2006 From: bh at intevation.de (Bernhard Herzog) Date: Fri, 6 Jan 2006 18:58:09 +0100 Subject: [Kolab-announce] Kolab Server 2.0.2 released Message-ID: <200601061858.10797.bh@intevation.de> Kolab Server 2.0.2 hase been released. This release consists mainly of bug fixes. Among others it includes all the security updates published since the 2.0.1 release. See the attached release notes for details. The new release should appear on the mirrors shortly. Bernhard Herzog -------------- next part -------------- Release notes Kolab2 Server (Version 20060106, Kolab Server 2.0.2) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. Changes since 2.0.1: - Security fixes from OpenPKG: http://www.openpkg.org/security/OpenPKG-SA-2005.025-perl.html http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html http://www.openpkg.org/security/OpenPKG-SA-2005.029-apache.html - This release includes the kolab security updates released since version 2.0.1: http://kolab.org/security/kolab-vendor-notice-03.txt http://kolab.org/security/kolab-vendor-notice-04.txt http://kolab.org/security/kolab-vendor-notice-05.txt http://kolab.org/security/kolab-vendor-notice-06.txt http://kolab.org/security/kolab-vendor-notice-07.txt - suport for the new registration required by OpenPKG for updates. - kolabd 1.9.4-20050913 -> 1.9.4-20051219 * changed postfix relayhost LDAP attributes * Fixing: Issue779 (correct headers for encoding in quota warning mails) Issue826 (too many decimal digits in quota values in warning mails) Issue832 (basedn with spaces problematic in master.cf) Issue921 (kolabquotawarn may send warnings for users with 0% quota) Issue919 (non-escaped shell metachars in passwd) - kolab-resource-handlers 0.3.9-20050912 -> 0.3.9-20051222 * Fixing: Issue952 (mailto: required in ical rewritten by kolabfilter) Issue958 (From: rewritten twice when mail is relayed between servers) Issue1042 (server modifies email attachment content) - kolab-webadmin 0.4.0-20050831 -> 0.4.0-20051219 Updated translations: Italian, German * Fixing: Issue820 (error when re-adding distribution list) Issue942 (postfix relayhost parameter syntax changed) Issue886 (i18n problem) Issue960 (extra newlines in vacation text) - perl-kolab 5.8.7-2.0_20050912 -> 5.8.7-2.0_20051219 * Add the password and ID fields again to the generated imapd.groups. * Fixing: Issue832 (basedn with spaces problematic in master.cf) Issue801 (lowercase value of mail attr) Issue882 (mailbox creation for external users) Issue961 (kolabd confused by unauthorized connection, possible fix) - imapd 2.2.12-2.4.0_kolab2 -> imapd-2.2.12-2.4.0_kolab3 * Fixing: Issue928 (imapd logging for mail deletion/creation) $Id: release-notes.txt,v 1.15.2.12 2006/01/06 17:25:28 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060106/f95339c3/attachment.bin From bernhard.herzog at intevation.de Wed Jan 11 17:46:35 2006 From: bernhard.herzog at intevation.de (Bernhard Herzog) Date: Wed, 11 Jan 2006 17:46:35 +0100 Subject: [Kolab-announce] Kolab Server 2.0.3 released Message-ID: <200601111746.37444.bernhard.herzog@intevation.de> Kolab Server 2.0.3 hase been released. This new release so soon after the 2.0.2 release is due three important bug fixes: 1. In 2.0.2 it was impossible to delete users with the web admin interface 2. The default configuration of postfix led to passwords bein written to the log files in some cases 3. A new clamav package with some security fixes. Because of the security fixes, upgrading is recommended. As usual, the release notes with some more details of the changes are attached. The new version has been uploaded, but it may not have reached all the mirrors yet. Bernhard Herzog -------------- next part -------------- Release notes Kolab2 Server (Version 20060111, Kolab Server 2.0.3) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. This release fixes an important bug introduced in 2.0.2 (users couldn't be deleted) and fixes two security problems (one in clamav and one in the default configuration of Kolab's postfix). Upgrading is recommended. Changes since 2.0.2: - Security Fixes: clamav-0.88-20060110 - kolabd 1.9.4-20051219 -> 1.9.4-20060111 * Fixing: Issue968 (Postfix logs password for ssl port 465) - kolab-resource-handlers 0.3.9-20050912 -> 0.3.9-20060111 * Fixing: Issue973 (Rewritten from shown inconveniently in kontact) - kolab-webadmin 0.4.0-20051219 -> 0.4.0-20060111 * Fixing: Issue848 (Deleting user should remove them from distribution lists) $Id: release-notes.txt,v 1.15.2.14 2006/01/11 16:16:06 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060111/f715a532/attachment.bin From bernhard.herzog at intevation.de Fri Jan 13 20:41:48 2006 From: bernhard.herzog at intevation.de (Bernhard Herzog) Date: Fri, 13 Jan 2006 20:41:48 +0100 Subject: [Kolab-announce] Security Advisory 08 for Kolab Server Message-ID: <200601132041.53527.bernhard.herzog@intevation.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 08 20060113 ================================ Package: Kolab Server Vulnerability: Verbose logging for connections to port 465 (ssmtp) includes the credentials of the connecting users. Passwords might leak through this. Kolab Specific: yes Impact: high Details - ------- With the default configuration of the Kolab server, when a client connects to port 465 for secure SMTP and tries to authenticate itself the credentials will be logged in /kolab/var/postfix/log/postfix.log. Other unix users on the server system may be able to read that file and learn passwords from it. Note that usually postfix.log is world readable with permissions 0644. You can change this with chmod and in /kolab/etc/fsl/fsl.postfix. Affected Versions - ----------------- Vulnerable: Stable Kolab Servers 2.0.1 2.0.2 Untested: Kolab Server 2.0 Vulnerable: Development Kolab Servers <= pre-2.1-20051215 Fixes - ----- Upgrade to Kolab Server 2.0.3 Alternatively: Remove the "-v" option from the line starting with "465" in the master.cf.template and then run kolabconf to refresh postfix. Timeline - -------- 2005-11-02 Issue968 was filed, assumed logging only on failure. 2005-12-19 Discovered that logging happened alway. 2006-01-04 Security implications of world readable logfile noticed. 2006-01-11 Analysis, fix and new server release with fix. 2006-01-13 Advisory published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFDyADQ0vCiU5+ISsgRAgfsAJ0bqau6XerXsXk5VIO4L0rOT+DK1ACcDY4l 919ok7QQhuz/ntulPfNugKA= =vTb2 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060113/d73292e8/attachment.bin From bh at intevation.de Fri Feb 3 18:22:45 2006 From: bh at intevation.de (Bernhard Herzog) Date: Fri, 3 Feb 2006 18:22:45 +0100 Subject: [Kolab-announce] Kolab Server 2.1 Beta 1 released Message-ID: <200602031822.50549.bh@intevation.de> Hi all, I've just uploaded a new release of the Kolab Server 2.1 branch. This is the first beta release, so it's now linked in the server/beta/kolab-server-2.1-beta-1 directory. The mirrors should have the files shortly. As usual, the release-notes are attached. Bernhard -------------- next part -------------- Release notes Kolab2 Server (Version, Kolab Server pre 2.1) This is a development snapshot of the kolab server leading up to a 2.1 release. For upgrading and installation instructions, please refer to the 1st.README file in the source directory. At this point an upgrade from 2.0 is not recommended. Instructions for the upgrade from 2.0 are in 1st.README, but they're not very well tested yet. Differences between Kolab 2.0.x and 2.1: - Simple multi-domain support The Kolab server can now accept mail for multiple email domains. There is also a new class of maintainers which are only allowed to manage settings for a subset of the mail domains of the kolab server. Known problems: - After bootstrapping please stop kolab and start it again, see Issue1068 (Mailboxes are not created until kolabd restart) and Issue1098 (Changes in the service tab are not accepted after bootstrap) for details. - Distribution lists without domain (like those created for administative addresses in the services tab) break when edited via the web interface, see Issue1100 for details. A workaround is to manually create those lists for every domain configured in the server. - If modifying or deleting of address book entries doesn't work, restarting openldap can help, see Issue854 for details. Deleting address book entries doesn't automatically remove them from distribution lists like it is done for users, see Issue848 for details. Changes since 2.1-20051215: OpenPKG updates: - clamav-0.88-20060110 Fixes UPX compressed file heap buffer overflow (CVE-2006-0162) Details: http://www.clamav.net/doc/0.88/ChangeLog http://www.securityfocus.com/bid/16191 - openpkg-registry-0.2.5-20051129 New package Kolab updates: All kolab specific packages contain more distconf changes by Richard Bos and Markus Hüwe. The webserver prefix is configurable now. - kolab-horde-fbview-2.0.99-20051220 - kolab-horde-framework-2.0.99-20051220 - kolab-resource-handlers-2.0.99-20060201 * Resolved: Issue1010 (new build-mechanism) - kolab-webadmin-2.0.99-20060201 * Resolved: Issue730 (Cannot rename user in Kolab2 Admin interface) Issue809 (kolab web-admin dutch locale) Issue848 (remove deleted users from distribution lists) Issue1007 (kolab-webadmin autoconfiscation patch) Issue1023 (fix some typos in messages) - kolabd-2.0.99-20060203 * Resolved: Issue768 (virtual.template changes not picked up by kolabconf) Issue1012 (make koilabquotawarn log when it sends warning mails) Issue1027 (kolab showuser doesn't work) Issue1046 (fix an openpkg rc call in kolab_bootstrap) Issue1038 (remove perl-kolab/configure from repository) Issue1050 (Make DLs work for sending email) - perl-kolab-5.8.7-20060201 * Resolved: Issue1022 (autoconfiscation patch for perl-kolab) $Id: release-notes.txt,v 1.35 2006/02/03 14:34:54 thomas Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060203/cfd377e8/attachment.bin From torsten.irlaender at intevation.de Fri Apr 7 18:56:44 2006 From: torsten.irlaender at intevation.de (Torsten =?iso-8859-1?q?Irl=E4nder?=) Date: Fri, 7 Apr 2006 18:56:44 +0200 Subject: [Kolab-announce] KDE Client 2.1.0 feature release. Message-ID: <200604071856.50174.torsten.irlaender@intevation.de> Hi *, I like to announce that six months after the last release a new release of the Kolab 2 KDE Client is ready for download. We call it 2.1.0 as it includes some new features and a lot of bug fixes. Take a look at the release notes in the download section for a detailed view of all applied changes. Here some of the new features coming with the new release: * Support for online and offline mailfolders. Choose which part of your mails escort you to your offline journeys * Implemented offline support of your LDAP addressbook * Support for displaying Quota information * Improved detection and protection against ghost messages in case of a crash * Sync with Palm devices in KPilot is significantly improved after resolving many KPilot bugs. One know problem remains. Please look in the release notes Take a look on the release notes for a detailed view of all applied changes. best regards Torsten Irl?nder -- Torsten Irl?nder Intevation GmbH torsten.irlaender at intevation.de http://www.intevation.de/ -------------- next part -------------- Release notes for the Kolab 2 KDE Client 2.1.0 ============================================== 2006-04-06, Bernhard Herzog Changes since 2.0.6: Features: --------- * Improved LDAP resource. including read/write support. (Backport from 3.5 branch) * Support for displaying QUOTA information in the IMAP kioslave and KMail, for both disconnected and online IMAP. Persisted across restarts. (Kolab/issue1080). * When, during a sync, while looking for new messages to upload, we encounter a message that looks like a ghost messages (no subject, no from, no to) we first invalidate the index of that folder and then check if the ghosts are still there. If so, offer to the user to delete those mails and reset the sync for this folder. Only ask once per session, to not be annoying. (Kolab/issue918) * Support for adding and removing subresources (folders in KMail) from within the resource view in KOrganizer and KAddressbook. As a side effect, support for adding and removing subresources from scripts, via DCOP. * Implement client side subscription for online IMAP and disconnected IMAP accounts. This basically stores a blacklist of unsubscribed folders (since we want new folders to show up, intially) per account, which is persisted to kconfig. This list is used as a filter during folder listing. (Kolab/issue1095) * Auto-unsubscribing of folders by groupware folder type. This allows to only see groupware folders in the account that is set up to contain them, while using a separate (online) IMAP account for mail folders. (Kolab/issue1095) * Add an option to the wizard to create an online account for the non-groupware folders along with a cached IMAP one which is set to only show groupware folders. (Kolab/issue1095) Bugfixes: --------- * Fixed crash on adding groupware ressources as kolabwizard did not do it properly (Kolab/issue1201) * Make sure the translation catalogue is loaded, by making sure we pass our correct name to the Kontact::Plugin base class. (Kolab/issue1087) * Make sure that latin1 is selected as a default if we find no matching locale for the fallback codec, and replace "iso " with "iso-" so we have a better chance of finding the locale. * Finally solve Kolab issue 437 by making sure all defaults lists match. * Trying to autodetect the codec for vcards is a bad idea, so backport what we do in newer versions for a while now, rely on them being utf8. (Kolab/Issue1115) * Make the imported ldap slave work with the newimap protocol (to avoid clashes with the one in kdebase <= 3.2 and hook it in. * Import the ldap library stuff from kdelibs 3.5, since we need to support kdelibs 3.2 which doesn't have it. * Conditionally use the stuff in libpimldaptools and the copied slave, if we are compiling against kdelibs 3.2 * (kio_imap4) Quote mailbox name in case it contains spaces. * Fix replying or printing encapsulated messaages from a main reader window. (Proko2 issue993) * Don't circumvent the scheduler when handling cancel messages, because otherwise proper schedulingID conversion does not happen. (Kolab/issue1109) * Don't attempt to fake the schedulingID in temporary scheduling messages, rather rely on the detection of existing incidences which works ok, if the calling code actually uses it, which it didn't, see previous commit. (Kolab/issue1109 second half) * Display "this event/task has been updated" instead of "this is an invitation" if the sequence number of the ical object is non-zero. (Kolab/issue1109 part 3) * Fix wrong foreground color being used when "use default colors" is checked. * In case an update or cancel message is processed for an incidence that cannot be found, inform the user, instead of blindly adding a new version of the incidence. (Kolab/issue1128) * Use the prettyURL, not the label for error messages and don't try to delete mail in readonly folders. * If a folder is readonly and we detect a ghost message, try the index regeneration part once, then put the folder in the set of those to not check again, for this session, so we don't try to remove messages. * Make sure folders are created locally if there are no annotations at all set (such as for no-content folders). Create all of them if the server doesn't support annotations at all, to be safe. Fixes problems with irregular folder listings on some servers. * Change the default for hiding the groupware folders to false. * Also check for an empty subject when trying to find ghost messages. * Change the buttons to "Store" and "Throw away" as requested. * Make the saving of encrypted messages as unencrypted work again. * Cache the utf8 textcodec, because codecForName turns out to be a performance bottleneck, and it's called in a tight loop for each loaded incidence. Further step towards fixing issue1118. * Fix the spurious extra characters at the end of inline invitations. (Kolab/issue1118) * Be sure to reload the addressbook, when we've added a contact. A bit crude, but that's what 3.5 does. (Kolab/issue1084). * The distribution list code assumes there are no , and ; in the uid. Make sure of that, at least internally, otherwise display names like "Foo, Bar" break. (Kolab/issue1152) * Make sure we don't insert ; or , as identifiers in a distlist. (Kolab/issue1152) * Adjust visual defaults in the certificate manager according to Aegypten issue322. * Fix potential crash after resetting a sync. * Fix for kpilot sync conflict warning even when nothing changed in kontact. (Kolab/issue1097) * Fix for: kpilot sometimes removes first occurrence of a recurring event. (Kolab/issue1135) * Fix for: kpilot doesn't sync location field of events. (Kolab/issue1134) * Fix for: Contacts from Palm don's show properly in KAddressBook (Kolab/issue1156) Documentation: -------------- * Add a section for non-gui options and explain SendMDNsWithoutSender option in the documentation. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060407/ed08e063/attachment.bin From bernhard at intevation.de Tue May 16 19:22:04 2006 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 16 May 2006 19:22:04 +0200 Subject: [Kolab-announce] Security Advisory 09 for Kolab Server (CVE-2006-1989, ClamAV) Message-ID: <200605161922.10388.bernhard@intevation.de> -- www.kolab-konsortium.com Professional Maintenance, Consultancy and Support. -------------- next part -------------- Kolab Security Issue 09 20060516 ================================ Package: Kolab Server Vulnerability: buffer overflow, remotely exploitable (CVE-2006-1989) Kolab Specific: no Dependent Packages: none Impact: high Summary ~~~~~~~ The Clam AntiVirus package's freshclam component has a buffer overflow that can be exploited remotely. Freshclam fetches updates via HTTP. A specially prepared HTTP server could be used by an attacker to exploit the buffer overflow. By means of DNS poisoning freshclam could be pointed to such a bogus server. Affected Versions ~~~~~~~~~~~~~~~~~ This affects all servers which have ClamAV 0.80 up to 0.88.1 running. Kolab Servers 2.0.3, Kolab Server 2.1beta1 are vulnerable. Previous releases are affected. Fix ~~~ Upgrade to ClamAV 0.88.2. A new ClamAV RPM is available from the Kolab download mirrors as security-updates/20060616/clamav-0.88.2-20060430.src.rpm In addition a binary RPM for (ix86 Debian GNU/Linux Sarge) is available: Kolab Server 2.0.3 (Sarge) security-updates/clamav-0.88.2-20060430.ix86-debian3.1-kolab.rpm All other Server versions: Please build from the src.rpm. The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20060616/clamav-0.88.2-20060430.src.rpm . MD5 sums: bce57f67d9549087f4f1b88313fcf237 clamav-0.88.2-20060430.src.rpm 8d646b130ed9f166ed16a589776406e4 clamav-0.88.2-20060430.ix86-debian3.1-kolab.rpm The package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.88.2-20060430.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.88.2-20060430.--kolab.rpm The installation process will likely leave a freshclam.conf.rpmsave or clamd.conf.rpmsave in /kolab/etc/clamav/. Since freshclam.conf and clamd.conf are generated files, remove the rpmsave files, run kolabconf and make sure clamav starts. E.g. # rm /kolab/etc/clamav/clamd.conf.rpmsave # /kolab/sbin/kolabconf # /kolab/etc/rc clamav start Optionally update the virus signature files manually right away as test: # /kolab/bin/freshclam Details ~~~~~~~ http://www.clamav.net/security/0.88.2.html ClamAV 0.88.2 release notes Timeline ~~~~~~~~ 20060429 ClamAV security release 0.88.2, announced as "Moderate risk". 20060430 OpenPKG 0.88.2 package release as in section CUR/SRC/PLUS. 20060516 Security assessment for Kolab Server by Martin Konold. 20060516 Kolab Server tests, update and security advisory published. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060516/58781c48/attachment.bin From torsten.irlaender at intevation.de Thu May 18 15:47:09 2006 From: torsten.irlaender at intevation.de (Torsten =?iso-8859-1?q?Irl=E4nder?=) Date: Thu, 18 May 2006 15:47:09 +0200 Subject: [Kolab-announce] New Proko2 KDE Client 2.1.1 released Message-ID: <200605181547.10803.torsten.irlaender@intevation.de> Proko2 KDE Client 2.1.1 has been released. This new release is mainly a bugfix release, but includes also some new features. Heres a short excerpt of the changes: * New: Coloring of different calendar ressources * New: Better support for online/offline working * New: Speed Improvements on large calenders * Fixed: Many issues related to groupwarefolders in a dIMAP/IMAP environment. As usual, the release notes with some more details of the changes are attached. The new version has been uploaded, but it may not have reached all the mirrors yet. -- Torsten Irl?nder Intevation GmbH torsten.irlaender at intevation.de http://www.intevation.de/ -------------- next part -------------- Release notes for the Kolab 2 KDE Client 2.1.1 (released 20060518) ================================================================== Torsten Irl?nder (20060518ber) Changes since Proko2 2.1.0: Features: --------- * Non-gui config key that allows to specify after how many incidences a progress dialog comes up. (issue 1118) * Backport large parts of the online/offline support from 3.5, which makes it possible to suspend and resume all network jobs via DCOP. KPilot will use this to disable network traffic during a kolab resource sync, for example, but the user can also use it to go offline on the road, and thus avoid error messages due to interval mail checks. (issue 1137). * Backport resource colors from KDE 3.5 branch. (issue 1129) Bugfixes: --------- * Change the default for hiding groupware folders back to true. (issue 1206) * Automatically unsubscribe the default folders and turn on local subscription for the online imap account in the kolab wizard. (issue 1206) * Don't list messages in the INBOX if it is the one of the groupware main account and we are in "only groupware folders for this account" mode. (issue 1207) * If we are hiding groupware folders, and the account is the groupware base account, and it's set to only locally subscribe to groupware folders, hide it completely from the folder tree. (issue 1207) * Don't reload the KConfig object of the standard addressbook for every incidence during loading, by caching the "thatIsMe" entry. This should speed up calendar loading significantly, but it means that if they user changes their "thatIsMe" entry in the addressbook, KOrganizer won't realize that until the next restart. Given the spectacularly low frequency with which that is expected to happen, I think that's worth it. I can't fix it at the root, since that is in kdelibs. (issue 1118) * Also trigger a reload of the folder when a new IncidencesFor annotation is retrieved from the server. (issue 398) * Fix of the concurrent KPilot and KMail dImap sync problem. Concurrent sync is now blocked. Problem was that on a concurrent sync contacts/tasks/events were duplicated in the dImap folders (issues 1136, 1137) * Don't attempt to rename the inbox. Especially not to INBOX. (issue 1185) * Only prepend the indent string in Weighted address completion mode, only show headers in Weighted mode. (issue 740) * Handle encoded headers differently, so that replying to Froms with a real name containing an encoded comma (',') will work. (issue 1228) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060518/5524934b/attachment.bin From bh at intevation.de Tue Jun 20 15:41:18 2006 From: bh at intevation.de (Bernhard Herzog) Date: Tue, 20 Jun 2006 15:41:18 +0200 Subject: [Kolab-announce] Kolab Server 2.1 Beta 2 released Message-ID: <200606201541.28360.bh@intevation.de> Hello, after more than four months, Kolab Server 2.1 Beta 2 is finally ready. I've just uploaded the packages, so the mirrors should have the files shortly. The files are linked in the server/beta/kolab-server-2.1-beta-2 directory. The release-notes are attached. Please read them and the 1st.README file carefully when upgrading because of a change in the default imap configuration that affects upgrades from older versions. Regards, Bernhard Herzog -------------- next part -------------- Release notes Kolab2 Server (Version 20060620, Kolab Server 2.1 beta 2) This is a development snapshot of the kolab server leading up to a 2.1 release. For upgrading and installation instructions, please refer to the 1st.README file in the source directory. At this point an upgrade from 2.0 is not recommended. Instructions for the upgrade from 2.0 are in 1st.README, but they're not very well tested yet. Differences between Kolab 2.0.x and 2.1: - Simple multi-domain support The Kolab server can now accept mail for multiple email domains. There is also a new class of maintainers which are only allowed to manage settings for a subset of the mail domains of the kolab server. Known problems: - Under some circumstance the Kolab server may not update create users or update the configuration after changes have been made in the web interface. This happens most often immediately after the bootstrap. In that case restart the kolabd: /kolab/bin/openpkg rc kolabd restart See Issue1068 (Mailboxes are not created until kolabd restart) and Issue1098 (Changes in the service tab are not accepted after bootstrap) for details. - If modifying or deleting of address book entries doesn't work, restarting openldap can help, see Issue854 for details. Deleting address book entries doesn't automatically remove them from distribution lists like it is done for users, see Issue848 for details. Changes since 2.1 beta 1: OpenPKG updates: openpkg-2.5.2-2.5.2 openpkg-registry-0.2.7-20060223 libxslt-1.1.15-2.5.1 php-smarty-2.6.10-20051003 clamav-0.88.2-20060524 binutils-2.16.1-2.5.1 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.009-binutils.html openldap-2.3.11-2.5.1 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.008-openldap.html Kolab updates: More distconf changes by Richard Bos and Markus Hüwe. - perl-kolab-5.8.7-20060619 Resolved: Issue1194 (kolabd quota performance) Issue1220 (postfix permissions) issue1237 (Handling of @@@var@@@ in Conf.pm (Gunnar Wrobel)) - kolabd-2.0.99-20060619 * The default imapd configuration has been changed to enable the hashimapspool option. This affects the upgrade procedure. See 1st.README for upgrade instructions. * amavis now logs to /kolab/var/amavisd/amavisd.log. This is part of the fix for Issue1015 Resolved: Issue1015 (fixing logging and logrotate for amavisd) Issue1089 (enable hashimapspool for imapd to cope with many users) Issue1101 (allowapop: no; disable apop access to imapd by default) Issue1105 (fix compilation of kolabd on FreeBSD) Issue1257 (wrong attribute name for imap quota) - kolab-webadmin-2.0.99-20060619 * patch from Tobias König in order to support setting of foldertype for public folders Resolved: Issue848 (Modifying address book entry may break distribution list) Issue1106 (email validation in webgui) Issue1214 (number of days for vacation messages on webinterface) Issue1263 (Bug in the shared folders folder-type code) [Wrobel] - kolab-resource-handlers-2.0.99-20060619 * create empty pfbcache.db if missing Resolved: Issue973 (quoting and rewriting From header) Issue966 (Wrong CN for resource accounts) Issue1042 (server modifies email content) Issue1195 (error message in bounce) Issue1243 (rewriting fails when "From:" contains quoted printable) Issue1245 (rewriting problems on folded Header "From:"-line) $Id: release-notes.txt,v 1.41 2006/06/20 12:44:25 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060620/de6354fb/attachment.bin From torsten.irlaender at intevation.de Wed Jun 28 17:01:28 2006 From: torsten.irlaender at intevation.de (Torsten =?iso-8859-1?q?Irl=E4nder?=) Date: Wed, 28 Jun 2006 17:01:28 +0200 Subject: [Kolab-announce] New proko2 KDE 2.1.2 client is out Message-ID: <200606281701.32913.torsten.irlaender@intevation.de> Proko2 KDE Client 2.1.2 has been released. This new release is mainly a bugfix release, but includes also some new features. Heres a short excerpt of the changes: * New: Show quota information in the folder tooltip. * New: Allow ";" as additional address separator * New: Show detailed information about recurrences of events in the invitation mail * Fixed: Ressource colors doesn't disappear when deleting an event from the calendar. * Fixed: Groupwarefolders are now unsubscribed for online imap after setup with kolabwizard. As usual, the release notes with some more details of the changes are attached. The new version has been uploaded, but it may not have reached all the mirrors yet. -- Torsten Irl?nder Intevation GmbH torsten.irlaender at intevation.de http://www.intevation.de/ -------------- next part -------------- Current Release is Proko2 2.1.2 Changes since Proko2 2.1.1 up to Proko2 2.1.2 (released 26.06.2006) Bugfixes ======== * Quota information does not hang anymore for online imap when no quota is set (Proko2 issue 1248) * Ressources colors doesn't disappear when deleting an event from calendar (Proko2 Issue 1129) * Don't allow shift-tab to select header separators. (Proko2 Issue 740) * Overwrite mode on mail composing now works (Proko2 Issue 1182) * Printer view config now takes effect without restarting kontact (Proko2 Issue 1204) * Creation of subfolders when using online imap is now possible (Proko2 Issue 1258) * Only warn about events which can't be found on cancel if it's not an initial decline. (Proko2 issue 1248) * Groupwarefolders (with standard name) are now unsubscribed for online imap after setup with kolabwizard (Proko2 Issue 1260) * Subject of MDNs is now translated. (Proko2 issue 1277) * Enable automatic expunge when a folder is left for the online IMAP account. (Proko2 Issue 1207) * Errors during target folder creation in folder copy operations are now handled without crashing. (Proko2 issue 1279) Features ======== * Show quota information in the folder tooltip. Even works for online imap (Proko2 Issue 1215) * Show detailed information about recurring events in invitation mails (Proko2 Issue 1226) * Allow ";" as additional address seperator (Proko2 Issue 1216) * For full mailchecks (more than one folder) do a full folder listing (modulo list-only-open-folders config option) so we detect new shared folders without the need for an explicit listing by the user. (Proko2 Issue 1250) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060628/9532a195/attachment.bin From bernhard at intevation.de Thu Aug 10 17:49:21 2006 From: bernhard at intevation.de (Bernhard Reiter) Date: Thu, 10 Aug 2006 17:49:21 +0200 Subject: [Kolab-announce] Security Advisory 10 for Kolab Server (CVE-2006-4018, ClamAV) Message-ID: <200608101749.22284.bernhard@intevation.de> -------------- next part -------------- Kolab Security Issue 09 20060810 ================================ Package: Kolab Server, ClamAV Vulnerability: buffer overflow, remotely exploitable (CVE-2006-4018) Kolab Specific: no Dependent Packages: none Impact: high Summary ~~~~~~~ The Clam AntiVirus package's freshclam component has a buffer overflow in the handler for compressed UPX files that can be exploited remotely. Affected Versions ~~~~~~~~~~~~~~~~~ This affects all servers which have ClamAV 0.81 up to 0.88.3 running. Kolab Server 2.0.3, Kolab Server 2.1beta2 are vulnerable. Previous releases are affected. Fix ~~~ Upgrade to ClamAV 0.88.4 or to Kolab Server 2.0.4 which includes the new ClamAV. The ClamAV RPM is available from the Kolab download mirrors as security-updates/20060810/clamav-0.88.4-20060809.src.rpm The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20060810/clamav-0.88.4-20060809.src.rpm . MD5 sums: 943f2f4da69cb949a060e6ba102b4e44 clamav-0.88.4-20060809.src.rpm The package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.88.4-20060809.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.88.4-20060809.--kolab.rpm The installation process might leave a freshclam.conf.rpmsave or clamd.conf.rpmsave in /kolab/etc/clamav/. Since freshclam.conf and clamd.conf are generated files, remove the rpmsave files, run kolabconf and make sure clamav starts. E.g. # rm /kolab/etc/clamav/clamd.conf.rpmsave # /kolab/sbin/kolabconf # /kolab/etc/rc clamav start Optionally update the virus signature files manually right away as test: # /kolab/bin/freshclam Details ~~~~~~~ http://www.clamav.net/security/0.88.4.html ClamAV 0.88.4 security advisory. Timeline ~~~~~~~~ 20060807 ClamAV security release 0.88.4. 20060809 OpenPKG 0.88.4 package release in section CUR/SRC/PLUS. 20060810 Kolab Server security advisory published. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060810/5b353918/attachment.bin From bh at intevation.de Fri Aug 11 19:59:37 2006 From: bh at intevation.de (Bernhard Herzog) Date: Fri, 11 Aug 2006 19:59:37 +0200 Subject: [Kolab-announce] Kolab Server 2.0.4 released Message-ID: <200608111959.45782.bh@intevation.de> Hello, Kolab Server 2.0.4 hase been released. The main changes in this release are some security fixes and several bug fixes for the resource manager. More details are in the attached release notes. Because of the security fixes, upgrading is recommended. The new version has been uploaded, but it may not have reached all the mirrors yet. Bernhard Herzog -------------- next part -------------- Release notes Kolab2 Server (Version 20060811, Kolab Server 2.0.4) For upgrading and installation instructions, please refer to the 1st.README file in the source directory. This release fixes several security problems in apache, clamav, openldap and binutils. See below for more details. Upgrading is recommended. Changes since 2.0.3: - Security Fixes: apache-1.3.33-2.4.5_kolab2 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.html OpenPKG hasn't released a fix for this for OpenPKG 2.4 but this kolab specific apache RPM now contains a patch with the fix for his issue. binutils-2.16.1-2.4.1 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.009-binutils.html openldap-2.2.27-2.4.1_kolab http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.008-openldap.html clamav-0.88.4-20060809 http://kolab.org/security/kolab-vendor-notice-10.txt Kolab updates: - perl-kolab Resolved: Issue1210 (large replog makes kolabd slow) - kolabd 1.9.4-20060111 -> 1.9.4-2006???? Added missing relay service Resolved: Issue1274 (Sending mail as internal user doesn't work) - kolab-webadmin Resolved: Issue848 (external address in dist. list) - kolab-resource-handlers Resolved: Issue815 (invitation replies vanish in resmgr) Issue966 (Wrong CN for resource accounts) Issue973 (quoting and rewriting From header) Issue1042 (server modifies email attachment content) Issue1195 (Better error message when lmtp fails) Issue1243 (problem when rewriting "quoted printable" from headers) Issue1245 (problem when rewriting folded from headers) Issue1352 (resmgr can create wrong range dates) $Id: release-notes.txt,v 1.15.2.17 2006/08/11 16:24:43 bh Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060811/d9e28167/attachment.bin From bh at intevation.de Fri Aug 18 15:56:35 2006 From: bh at intevation.de (Bernhard Herzog) Date: Fri, 18 Aug 2006 15:56:35 +0200 Subject: [Kolab-announce] Kolab KDE Client 2.1.3 released Message-ID: <200608181556.40587.bh@intevation.de> Kolab KDE Client 2.1.3 has been released. This release contains a few new features as well as several bug fixes. Among the new feature are: * Task colouring based on subresource colour * Open and Open with for attachments in the composer * More columns in mail listing window A detailed list of the changes can be found in the release notes. The new version has been uploaded, but it may not have reached all the mirrors yet. Bernhard Herzog -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060818/b33b4ed5/attachment.bin From bh at intevation.de Tue Aug 22 15:27:13 2006 From: bh at intevation.de (Bernhard Herzog) Date: Tue, 22 Aug 2006 15:27:13 +0200 Subject: [Kolab-announce] Kolab KDE Client 2.1.4 released Message-ID: <200608221527.18652.bh@intevation.de> Kolab KDE Client 2.1.4 has been released. The only change since the previous version, 2.1.3, is fix for a bug that makes kontact much harder to use when accessing the same Kolab IMAP account from multiple machines. The new version has been uploaded, but it may not have reached all the mirrors yet. Bernhard Herzog -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20060822/369861eb/attachment.bin From bh at intevation.de Mon Oct 2 19:32:33 2006 From: bh at intevation.de (Bernhard Herzog) Date: Mon, 2 Oct 2006 19:32:33 +0200 Subject: [Kolab-announce] Kolab Security Issue 11 20061002 (openssl) Message-ID: <200610021932.37847.bh@intevation.de> -------------- next part -------------- Kolab Security Issue 11 20061002 ================================ Package: openssl Vulnerability: denial of service Kolab Specific: no Dependent Packages: apache curl imap imapd openldap perl perl-crypto php postfix proftpd Summary ------- According to a vendor security advisory, four security issues were discovered in the cryptography toolkit OpenSSL: two denial of service attacks when parsing ASN.1 structures, a buffer overflow when processing a list of ciphers and an ssl client crash. Affected Versions ----------------- OpenPKG packages of openssl-0.9.8a-2.5.2 or earlier are affected. Kolab Server 2.0.4 and previous releases of the 2.0 branch as well as Kolab Server 2.1 beta 2 and previous releases of the 2.1 branch are affected. You can check the installed version with: /kolab/bin/openpkg rpm -q openssl Fixes ----- Note: The fix described here is for Kolab server 2.0.4 and 2.1 beta 2. If you still run an older version, please upgrade to 2.0.1 or 2.1 beta 2 depending on the branch you are using. Updated OpenPKG package for openssl are available from the usual kolab mirrors under the directory security-updates/20061002/ . While the mirrors are catching up, you can also get the files via rsync: # rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20061002/ . Under that directory you'll find the following directory tree: ./2.0/sources/ ./2.0/ix86-debian3.1/ ./2.0/ix86-debian3.0/ ./2.1/sources/ ./2.1/ix86-debian3.1/ There is one branch for the Kolab server 2.0 updates and one for the 2.1 updates. In each branch is a sources directory and one or more binary directories. If you installed the Kolab server from sources, download the sources directory for your kolab server branch. If you installed from binaries, download the appropriate binaries directory for your kolab server branch. All directories contain the new OpenSSL package plus obmtool and obmtool.conf files like a kolab release. In addition, the binaries directories contain updated binaries of the dependent packages. In any case, download all files in the appropriate directory, chdir into the downloaded directory and run /kolab/bin/openpkg rc all stop ./obmtool kolab This will install the new openssl package and rebuild/reinstall the dependent packages. Afterwards start the server again, making sure to regenerate the config files as you would for a normal Kolab server update. For the Kolab server 2.1 branch, the upgrade of the postfix RPM requires an additional manual step. After the upgrade, the permissions of some files in /kolab/etc/postfix are wrong and some .db files are missing. An easy way to fix this after running kolabconf is to run the following commands (as root): cd /kolab/etc/postfix chown root:kolab transport virtual make Details ------- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html OpenPKG Security Advisory OpenPKG-SA-2006.021 http://www.openssl.org/news/secadv_20060928.txt OpenSSL Security Advisory on the vendor's site http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 Common Vulnerabilities and Exposures (CVE): CAN-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 Common Vulnerabilities and Exposures (CVE): CAN-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 Common Vulnerabilities and Exposures (CVE): CAN-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 Common Vulnerabilities and Exposures (CVE): CAN-2006-4343 Timeline -------- 20060928 OpenSSL vendor released patch and new versions containing the fix 20060928 OpenPKG created new package containing the fix 20061002 Kolab update and security advisory published -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20061002/7c759dd8/attachment.bin From bernhard at intevation.de Tue Oct 3 12:58:16 2006 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 3 Oct 2006 12:58:16 +0200 Subject: [Kolab-announce] Kolab Security Issue 11 20061002 (openssl) In-Reply-To: <200610021932.37847.bh@intevation.de> References: <200610021932.37847.bh@intevation.de> Message-ID: <200610031258.17490.bernhard@intevation.de> On Monday 02 October 2006 19:32, Bernhard Herzog wrote: > Kolab Security Issue 11 20061002 http://www.kolab.org/security/kolab-vendor-notice-11.txt > Fixes > ----- > > Note: The fix described here is for Kolab server 2.0.4 and 2.1 beta 2. > If you still run an older version, please upgrade to 2.0.1 or 2.1 beta 2 > depending on the branch you are using. To be extra sure, because of the missleading sentence above: You need to upgrade to 2.0.4 if you run the 2.0.x branch to be able to apply the fix. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20061003/fa2601b0/attachment.bin From bh at intevation.de Mon Oct 9 18:48:36 2006 From: bh at intevation.de (Bernhard Herzog) Date: Mon, 9 Oct 2006 18:48:36 +0200 Subject: [Kolab-announce] Kolab Security Issue 12 Message-ID: <200610091848.44388.bh@intevation.de> -------------- next part -------------- Kolab Security Issue 12 20061009 ================================ Package: openssl Vulnerability: denial of service, may allow execution of arbitrary code Kolab Specific: no Dependent Packages: apache curl imap imapd openldap perl perl-crypto php postfix proftpd Summary ~~~~~~~ The openssl package for the Kolab Server 2.0 branch from the previous Kolab Security Issue, No. 11 from 20061002, introduced a new problem together with the fix for CVE-2006-2940. The new problem is the possible use of an uninitialized local variable which may lead to program crashes and may allow execution of arbitrary code. Affected Versions ~~~~~~~~~~~~~~~~~ The updated RPMs from Kolab Security Issue 11 for the Kolab Server 2.0 are affected. More specifically, it affects the openssl-0.9.7l-20061002_kolab RPM and dependent packages. The updated RPMs for the Kolab Server 2.1 branch are NOT affected. The openssl RPM from OpenPKG used for that branch already contains the fix for the new problem. Fixes ~~~~~ Note: The fix described here is for Kolab Server 2.0.4. If you still run an older version, please upgrade to 2.0.4 first. You do not need to apply Kolab Security Issue 11 because this update completely replaces it. An updated OpenPKG package for openssl is available from the usual kolab mirrors under the directory security-updates/20061009/ . While the mirrors are catching up, you can also get the files via rsync: # rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20061009/ . Under that directory there is one directory with the new source RPMs (sources/) and one with updated RPMs for Debian sarge (ix86-debian3.1) If you installed the Kolab Server from sources, download the sources directory for your kolab Server branch. If you installed from binaries, download the appropriate binaries directory for your Kolab Server branch. Both directories contain the new OpenSSL package plus obmtool and obmtool.conf files like a Kolab release. In addition, the binary directory contains updated binaries of the dependent packages. In any case, download all files in the appropriate directory, chdir into the downloaded directory and run /kolab/bin/openpkg rc all stop ./obmtool kolab This will install the new openssl package and rebuild/reinstall the dependent packages. Afterwards start the server again, making sure to regenerate the config files as you would for a normal Kolab Server update. Details ~~~~~~~ http://kolab.org/security/kolab-vendor-notice-11.txt Kolab Security Notice 11 with the updates http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html OpenPKG Security Advisory OpenPKG-SA-2006.021 http://www.openssl.org/news/secadv_20060928.txt OpenSSL Security Advisory on the vendor's site http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 Common Vulnerabilities and Exposures (CVE): CAN-2006-2940 Timeline ~~~~~~~~ 20060928 OpenSSL vendor released patch and new versions containing the fix 20060928 OpenPKG created new package containing the fix 20061002 Kolab update and security advisory 11 published 20061009 Kolab update and security advisory 12 published -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20061009/4adc3b4c/attachment.bin From thomas at intevation.de Thu Oct 19 17:27:50 2006 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Thu, 19 Oct 2006 17:27:50 +0200 Subject: [Kolab-announce] Kolab Security Issue 13 20061019 (clamav) Message-ID: <20061019152750.GH17693@intevation.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 13 20061019 ================================ Package: Kolab Server, ClamAV Vulnerability: heap overflow, remotely exploitable (CVE-2006-4182), denial of service, remotely exploitable (CVE-2006-5295) Kolab Specific: no Dependent Packages: none Summary ~~~~~~~ CVE-2006-4182 Damian Put discovered a heap overflow error in the script to rebuild PE files, which could lead to the execution of arbitrary code. CVE-2006-5295 Damian Put discovered that missing input sanitising in the CHM handling code might lead to denial of service. Affected Versions ~~~~~~~~~~~~~~~~~ This affects versions of ClamAV up to version 0.88.4. Kolab Server 2.0.4 and Kolab Server 2.1beta2 are vulnerable. Previous releases are affected. Fix ~~~ Upgrade to ClamAV 0.88.5. The ClamAV source RPM is available from the Kolab download mirrors as: security-updates/20061019/clamav-0.88.5-2.20061018.src.rpm A binary RPM for Kolab Server 2.0.4 (ix86 Debian GNU/Linux Sarge) is available: security-updates/20061019/clamav-0.88.5-2.20061018.ix86-debian3.1-kolab.rpm All other Server versions: Please build from the src.rpm. The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/security-updates/20061019/clamav-0.88.5-2.20061018.src.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/security-updates/20061019/clamav-0.88.5-2.20061018.ix86-debian3.1-kolab.rpm . MD5 sums: d449d8970698e3bd3dd30eac7a1e4579 clamav-0.88.5-2.20061018.src.rpm 4c819dcaffe3602a927965115ff328d5 clamav-0.88.5-2.20061018.ix86-debian3.1-kolab.rpm The package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.88.5-2.20061018.src.rpm # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.88.5-2.20061018.--kolab.rpm Details ~~~~~~~ http://sourceforge.net/project/shownotes.php?release_id=455799 ClamAV 0.88.5 release notes http://www.securityfocus.com/bid/20535 Clam Anti-Virus PE Rebuilding Heap Buffer Overflow Vulnerability (CVE-2006-4182) http://www.securityfocus.com/bid/20537 Clam Anti-Virus CHM Unpacker Denial Of Service Vulnerability (CVE-2006-5295) Timeline ~~~~~~~~ 20061015 ClamAV release 0.88.5. 20061018 OpenPKG 0.88.5 package release. 20061019 Kolab Server security advisory published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFN5dhW7P1GVgWeRoRAqLQAKChYWtNVbzLGvVy4uuLuJuFQ9OwiACfQKS+ DeF+soaUL4p5iwtTZxagxNg= =73VV -----END PGP SIGNATURE----- -- Email: thomas at intevation.de http://intevation.de/~thomas/ From bernhard.herzog at intevation.de Thu Nov 2 19:20:45 2006 From: bernhard.herzog at intevation.de (Bernhard Herzog) Date: Thu, 2 Nov 2006 19:20:45 +0100 Subject: [Kolab-announce] Kolab KDE Client 2.1.5 released Message-ID: <200611021920.46968.bernhard.herzog@intevation.de> Kolab KDE Client 2.1.5 has been released. This release contains some new features as well as several bug fixes. Among the new feature are: * Add signature at top of reply and insert at cursor position * Kiosk option (non-gui) for vacation: react-to-spam and maildomain * Adding LDAP results to address selection dialog * Button to send email to the selected addresses in LDAP search * Make completion work with semicolon (;) as the separator A detailed list of the changes can be found in the release notes. The new version has been uploaded, but it may not have reached all the mirrors yet. Bernhard Herzog -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20061102/62924857/attachment.bin From thomas at intevation.de Wed Nov 15 19:43:29 2006 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Wed, 15 Nov 2006 19:43:29 +0100 Subject: [Kolab-announce] Kolab Server 2.1 Beta 3 released Message-ID: <20061115184329.GD3010@intevation.de> Hi! I've just uploaded the last bits of Kolab Server 2.1 Beta 3, which fixes more than 30 problems found in Beta 2 and includes the security updates published until now. Documentation and OpenPKG source packages will be available in the directory server/beta/kolab-server-2.1-beta-3/ of the mirrors listed on http://kolab.org/mirrors.html soon. Included is a gpg signed MD5SUMS file to verify if your download is correct: $ gpg --verify MD5SUMS $ md5sum -c MD5SUMS The packages are available since Friday, so you already can start downloading from server/development-2.1/dated/20061110/, all that was changed since then are the files release-notes.txt, 1st.README and UPGRADING.20-21, which I have attached to this mail for your convenience. Please follow the instructions in 1st.README, because otherwise some things will not work as expected. UPGRADING.20-21 contains instructions for upgrading from Kolab server 2.0 to 2.1, but they need testing on more live systems. Please report failed and successful upgrades to the mailing list. Regards, Thomas Arendsen Hein -- Email: thomas at intevation.de http://intevation.de/~thomas/ -------------- next part -------------- Release notes Kolab2 Server (Version 20061110, Kolab Server 2.1 beta 3) This is a development snapshot of the kolab server leading up to a 2.1 release. For upgrading and installation instructions, please refer to the 1st.README file in the source directory. WARNING, these topics need testing in 2.1 beta 3: - Instructions for upgrading from Kolab server 2.0 in 1st.README. - Changed imapd database format for annotations.db and mailboxes.db - New free/busy code (see section "Known problems") Differences between Kolab 2.0.x and 2.1: - Simple multi-domain support The Kolab server can now accept mail for multiple email domains. There is also a new class of maintainers which are only allowed to manage settings for a subset of the mail domains of the kolab server. - Hashed IMAP spool The default imapd configuration has been changed to enable the hashimapspool option. This means that in 2.1 the default directory layout of the imapd spool (/kolab/var/imapd/spool/) is different from the one in 2.0. When you upgrade from 2.0 it's best to keep using the old structure, so remove or comment out the corresponding line in /kolab/etc/kolab/templates/imapd.conf.template *before* running kolabconf. For new installations the new default setting is recommended because it's more efficient especially when you have many mailboxes. For details see kolab/issue1089. Known problems: - Retrieving the free/busy information isn't working, unless you use the following workaround on the server: cd /kolab && ln -s . kolab See kolab/issue1490 (freebusy cache written to /kolab/kolab/...) for details. Be careful when creating backups of your /kolab directory to not follow symbolic links, because this is a recursive one. - Under some circumstance the Kolab server may not update create users or update the configuration after changes have been made in the web interface. This happens most often immediately after the bootstrap. In that case restart the kolabd: /kolab/bin/openpkg rc kolabd restart See kolab/issue1068 (Mailboxes are not created until kolabd restart) and kolab/ssue1098 (Changes in the service tab are not accepted after bootstrap) for details. - If modifying or deleting of address book entries doesn't work, restarting openldap can help, see kolab/issue854 for details. - Setting Cyrus IMAP quota to 4096MB or more breaks delivery to this user. Setting to unlimited works though. See kolab/issue1262 for details. Changes since 2.1 beta 2: - openpkg-2.5.4-2.5.4 New upstream version. - apache-1.3.33-2.5.6 denial of service and possibly arbitrary code execution via crafted URLs that are not properly handled using certain rewrite rules. http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.html - gzip-1.3.5-2.5.1 denial of service, arbitrary code execution http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.020-gzip.html - curl-7.15.0-2.5.2 buffer overflow http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.012-curl.html - openssl-0.9.8a-2.5.4 denial of service, may allow execution of arbitrary code (http://kolab.org/security/kolab-vendor-notice-12.txt) - clamav-0.88.5-2.20061018 buffer overflow, remotely exploitable (CVE-2006-4018) (http://kolab.org/security/kolab-vendor-notice-10.txt) heap overflow, remotely exploitable (CVE-2006-4182), denial of service, remotely exploitable (CVE-2006-5295) (http://kolab.org/security/kolab-vendor-notice-13.txt) - file-4.15-2.5.0_kolab kolab/issue1458 (Password protected .sxw files can be banned by amavisd, as a result of the file command) - openldap-2.3.27-2.20061018_kolab New upstream version, fixes CVE-2006-4600 (Bugtraq ID 19832) and other problems. kolab/issue1229 (Master openldap's slurpd fails to start after adding slave) kolab/issue1431 (Slave cannot access master ldap server via SSL) - imapd-2.2.12-2.5.0_kolab2 Fix folder structure for foldernames with non-alphanumeric characters, when using skiplist as the database backend for mailboxes.db. - perl-kolab-5.8.7-20061110 kolab/issue1194 (serious performance problem on high number of users) - kolabd-2.0.99-20061110 Added missing relay service for postfix. Changed main.cf masquerading defaults so email to user at machine.example.org is actually delivered. Use mailbox_transport instead of local_transport for kolabmailboxfilter to work around issue825. Removed doubled attribute cyrus-autocreatequota. Added indexes for delegate and delete. Updated freebusy.conf template for freebusy IMAP caching. Changed imapd.conf template to use berkeley db instead of skiplist for annotations.db and mailboxes.db as a workaround for kolab/issue840 (Annotations needs to be more robust). kolab/issue824 (kolabmailboxfilter run once for each recipient) kolab/issue1264 (Add support for sieve based notifications) kolab/issue1273 (Sending as delegate broken in Kolab server 2.1) kolab/issue1428 (Fixed locking issue) kolab/issue1433 (Some files in /kolab/etc/postfix have wrong ownership) - kolab-webadmin-2.0.99-20061110 Fixes for setting folder type of shared folders. Guard against large number of users. kolab/issue1457 (updated French translation) - kolab-resource-handlers-2.0.99-20061110 Improvements and fixes for freebusy IMAP caching. kolab/issue815 (invitation replies vanish in resmgr) kolab/issue957 (All-day events from Outlook don't show up in freebusy) kolab/issue974 (Localize the text for rewritten From: headers) kolab/issue1042 (empty lines at the end of mails delivered via LMTP) kolab/issue1352 (resmgr can create wrong range dates) kolab/issue1387 (resmgr replies to replies creating mail loop) kolab/issue1422 (Dummy freebusy info) Changes since 2.1 beta 1: OpenPKG updates: openpkg-2.5.2-2.5.2 openpkg-registry-0.2.7-20060223 libxslt-1.1.15-2.5.1 php-smarty-2.6.10-20051003 clamav-0.88.2-20060524 binutils-2.16.1-2.5.1 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.009-binutils.html openldap-2.3.11-2.5.1 http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.008-openldap.html Kolab updates: More distconf changes by Richard Bos and Markus H?we. - perl-kolab-5.8.7-20060619 Resolved: Issue1194 (kolabd quota performance) Issue1220 (postfix permissions) issue1237 (Handling of @@@var@@@ in Conf.pm (Gunnar Wrobel)) - kolabd-2.0.99-20060619 * The default imapd configuration has been changed to enable the hashimapspool option. This affects the upgrade procedure. See 1st.README for upgrade instructions. * amavis now logs to /kolab/var/amavisd/amavisd.log. This is part of the fix for Issue1015 Resolved: Issue1015 (fixing logging and logrotate for amavisd) Issue1089 (enable hashimapspool for imapd to cope with many users) Issue1101 (allowapop: no; disable apop access to imapd by default) Issue1105 (fix compilation of kolabd on FreeBSD) Issue1257 (wrong attribute name for imap quota) - kolab-webadmin-2.0.99-20060619 * patch from Tobias K?nig in order to support setting of foldertype for public folders Resolved: Issue848 (Modifying address book entry may break distribution list) Issue1106 (email validation in webgui) Issue1214 (number of days for vacation messages on webinterface) Issue1263 (Bug in the shared folders folder-type code) [Wrobel] - kolab-resource-handlers-2.0.99-20060619 * create empty pfbcache.db if missing Resolved: Issue973 (quoting and rewriting From header) Issue966 (Wrong CN for resource accounts) Issue1042 (server modifies email content) Issue1195 (error message in bounce) Issue1243 (rewriting fails when "From:" contains quoted printable) Issue1245 (rewriting problems on folded Header "From:"-line) $Id: release-notes.txt,v 1.55 2006/11/15 17:57:01 thomas Exp $ -------------- next part -------------- Kolab2 Server Important Information =================================== For more information on Kolab, see http://www.kolab.org Quick install instructions -------------------------- For a fresh install /kolab needs to be an empty directory with enough space. You can use a symlink, but do _not_ use an NFS mounted drive. Make sure that the following names are not in /etc/passwd or /etc/groups, as openpkg will want to create them: "kolab" "kolab-r" "kolab-n" Check the www.openpkg.org documentation for your platform. E.g. some platforms need gettext installed or the locale set to C during installation, like: LC_ALL=C LC_MESSAGES=C LANG=C SUPPORTED=C export LC_ALL LC_MESSAGES LANG SUPPORTED Make sure the locale you want to set is supported by your c-library. Otherwise the webadmin interface might only be in English. To install the Kolab2 server, you need to download the files from the directory containing this file (1st.README) to some local directory, then as root, chdir into that local directory and run # ./obmtool kolab 2>&1 | tee kolab-build.log to build and install packages in /kolab. By default, the Kolab Server will now be started at boottime. After the build/install is complete, please run # /kolab/etc/kolab/kolab_bootstrap -b and follow the instructions. Workaround for problem in free/busy cache generation ---------------------------------------------------- Retrieving the free/busy information isn't working, unless you use the following workaround on the server: cd /kolab && ln -s . kolab See kolab/issue1490 (freebusy cache written to /kolab/kolab/...) for details. Be careful when creating backups of your /kolab directory to not follow symbolic links, because this is a recursive one. General update instructions --------------------------- Usually an update of the Kolab 2 server works as described here. In some cases you will need to deviate from these instructions a bit. All such cases are documented below, so read the release specific update instructions for all releases newer than the one you already have before you start the update. In any case you should completely read *all* relevant update instruction *before* starting the upgrade procedure. All ways make sure you have a recent backup of your /kolab directory before you attempt to upgrade Kolab. The installation of the new packages works just as for the initial installation. Download the files as described above and run # ./obmtool kolab obmtool will usually automatically determine which packages need to be built. If you have made changes to the configuration files in /kolab/etc/kolab/templates/ and the new release has a new kolabd package you may need to transfer your changes from the backups created by rpm (the *.rpmsave) files to the new template files. Then regenerate the configuration with # /kolab/sbin/kolabconf You may want to check the permissions of your files in /kolab/etc/kolab/ after installing or upgrading, as there have been problems with this in the past. Especially kolab.conf and copies shall only be readable to the owner (usually "kolab"). The installation and configuration scripts should make sure that the permissions are correct but there's a chance that the permissions can still go wrong, especially if you upgrade from pre Beta1 releases. Upgrading from earlier versions ------------------------------- Direct upgrade from Kolab1 is not recommendable at this point. We suggest that you back up your IMAP store, install Kolab2 and manually recreate user accounts and then restore the IMAP data from the backup. After an upgrade, always run /kolab/sbin/kolabconf to make sure the configuration files are regenerated from your templates. Upgrade from 2.0 releases to 2.1-versions ----------------------------------------- Upgrading from Kolab 2.0.x to 2.1 is described in detail in the file UPGRADING.20-21 in this directory. The latest version of the upgrading instruction can be found in the Kolab.org raw-howtos CVS: http://kolab.org/cgi-bin/viewcvs-kolab.cgi/*checkout*/doc/raw-howtos/kolab_2.0_to_2.1_upgrade_instructions.txt Please read carefully all the following update instructions in this file, while some of the information might be redundant there are additional notes which are essential for an successful update. Upgrade from pre-2.1-snapshot-20051130 -------------------------------------- This upgrade is somewhat tricky, because of a new db package and a new OpenLDAP version. To make sure that no data is lost, you are strongly advised to stop the server and make a backup before you start the update. Some files are removed during the upgrade described below. 1. Before installing the new RPMs Before installing the new packages, copy the contents of the openldap database (use a different output filename if you want): /kolab/sbin/slapcat > ~/kolab-slapcat-data The db update also affects the imap server. cd /kolab/var/imapd/db /kolab/bin/db_recover rm /kolab/var/imapd/db/* 2. After installing the new RPMs You need to make two small changes are required for the openldap configuration file /kolab/etc/openldap/slapd.conf: - comment out the line require none - Move the line with the suffix setting to just after the "database bdb" line. These changes have already been done in the new slapd.conf.template, so it can be used for guidance. Then restore the openldap data: rm /kolab/var/openldap/openldap-data/* /kolab/sbin/slapadd -l ~/kolab-slapcat-data The IMAP server should work without further changes. Upgrade from pre-2.1-snapshot-20051215 -------------------------------------- Nothing special has to be done for this upgrade. Upgrade from 2.1-beta-1 ----------------------- 1. imapd hashimapspool setting The default imapd configuration has been changed to enable the hashimapspool option. This means that in 2.1-beta-2 the directory layout of the imapd spool (/kolab/var/imapd/spool/) is different from the one in beta-1. When you upgrade from beta-1 it's best to keep using the old structure, so remove or comment out the corresponding line in /kolab/etc/kolab/templates/imapd.conf.template *before* running kolabconf. For new installations the new default setting is recommended because it's more efficient especially when you have many mailboxes. For some background information about this see the dicussion at https://intevation.de/roundup/kolab/issue1089 2. distribution lists There was a bug in earlier versions regarding the distribution lists for administrative emails aliases like postmaster@. They were created without the domain part. This has been fixed so that they are created with the correct domains in their names, but admin distribution lists created by an earlier Kolab server version will not be updated automatically. The easiest way to do this is by deleting them all and then to create them again with the services page of the web-interface. For more details about the bug, see https://intevation.de/roundup/kolab/issue1100 Upgrade from 2.1-beta-2 ----------------------- 1. postfix: ownership of virtual and transport: The owner of two config files has to be root, otherwise postfix will change to an unprivileged user for creating the corresponding .db files, isn't able to write them after the upgrade and fails to create further database files which don't get generated from kolab templates. To correct the file owner, execute the following commands as root: cd /kolab/etc/postfix chown root transport virtual make See kolab/issue1433 for details about this topic. 2. imapd: database format for annotations.db and mailboxes.db The default database format for /kolab/var/imapd/annotations.db and /kolab/var/imapd/mailboxes.db has changed from skiplist to berkeley db. If you want to keep the old format, comment out or remove the lines "annotation_db: berkeley" and "mboxlist_db: berkeley" in the file "/kolab/etc/kolab/templates/imapd.conf.template" and make sure the file "/kolab/etc/imapd/imapd.conf" reflects this, too, by either running /kolab/sbin/kolabconf or changing it manually there, too. To convert the databases to berkeley db format, execute as root: /kolab/bin/openpkg rc imapd stop su - kolab-r cd /kolab/var/imapd/ mv annotations.db annotations.db-skiplist cvt_cyrusdb /kolab/var/imapd/annotations.db-skiplist skiplist \ /kolab/var/imapd/annotations.db berkeley mv mailboxes.db mailboxes.db-skiplist cvt_cyrusdb /kolab/var/imapd/mailboxes.db-skiplist skiplist \ /kolab/var/imapd/mailboxes.db berkeley exit /kolab/bin/openpkg rc imapd start See http://wiki.kolab.org/index.php/Kolab2_IMAPD_annotations.db_Problems for details about this topic. $Id: README.1st,v 1.40 2006/11/15 17:57:01 thomas Exp $ -------------- next part -------------- Upgrade Kolab Server from 2.0.x to 2.1 ====================================== Preliminary instructions for the upgrade of a Kolab Server from version 2.0.x to Kolab Server 2.1. NOTE: This is an early version of the upgrade instructions. It is not very well tested and may not cover all problems that may occur during the upgrade. Before attempting the upgrade, make sure you have a current and working backup of your data. Preparation for the Upgrade --------------------------- 1. Backup the old installation. 2. Stop the Kolab Server /kolab/bin/openpkg rc all stop 3. Extract ldap data Copy the contents of the openldap database (use a different output filename if you want): /kolab/sbin/slapcat > ~/kolab-2.0.ldif 4. Prepare for berkeley db update cd /kolab/var/imapd/db /kolab/bin/db_recover rm /kolab/var/imapd/db/* Installation ------------ The installation of the new packages is done in the normal way. See the file 1st.README accompanying the 2.1 server for details. Do not do anything after the installation yet. In particular, do not start any part of the server again or run kolabconf. Configuration ------------- 1. Check custom configuration If you have custom configurations in your templates, the installation process renames your templates and leaves them in files with the extension .rpmsave. Copy any modifications from your templates to the new one if they are still needed. After that the files with the extension .rpmsave must be removed or renamed. There might be more files with the .rpmsave ending in /kolab/etc, you can find them for example using the find command: find /kolab/etc -name '*.rpmsave' Any files found must be checked and moved out of the way, in most cases they can just be deleted. 2. Cyrus IMAPd The default imapd configuration has been changed to enable the hashimapspool option. This means that in 2.1 the default directory layout of the imapd spool (/kolab/var/imapd/spool/) is different from the one in 2.0. When you upgrade from 2.0 it's best to keep using the old structure, so remove or comment out the line "hashimapspool: yes" in /kolab/etc/kolab/templates/imapd.conf.template *before* running kolabconf. For new installations the new default setting is recommended because it's more efficient especially when you have many mailboxes. For some background information about this see the dicussion at https://intevation.de/roundup/kolab/issue1089 3. LDAP You need to make two small changes to the configuration file /kolab/etc/openldap/slapd.conf: - comment out the line require none - Move the line with the suffix setting to just after the "database bdb" line. These changes have already been made in the new slapd.conf.template, so that could be used for guidance. Convert the openldap data. The LDAP data-structures have changed between 2.0 and 2.1 as described in Kolab2 Architecture Draft: http://kolab.org/doc/concept-draft-cvs20060921.pdf There's a Python script that can do the transformation. The script is utils/admin/convert-ldif-21.py in Kolab CVS and requires python >= 2.1 and python-ldap >= 2.0, you can download the current version from: http://kolab.org/cgi-bin/viewcvs-kolab.cgi/*checkout*/utils/admin/convert-ldif-21.py The script works on the ldif data that was exported with slapcat earlier: python convert-ldif-21.py ~/kolab-2.0.ldif ~/kolab-2.1.ldif Then restore the openldap data using the output from upgrade-ldap.py: rm /kolab/var/openldap/openldap-data/* /kolab/sbin/slapadd -l ~/kolab-2.1.ldif This will issue some warnings which can be safely ignored. 4. kolabconf Now start the openldap server and run kolabconf /kolab/bin/openpkg rc openldap start /kolab/sbin/kolabconf Kolabconf will might complain about be some files ending .rpmnew under /kolab/etc. Check those files and move them out of the way. It's likely that you can simply remove them. Start the Server ---------------- Now you should be able to start the server again: /kolab/bin/openpkg rc all start Final Steps ----------- 1. The internal format of the ldap records for the list of privileged networks has changed, to updated these recods go to the kolab web interface an log in as administrative user. Open the "Services" page and search for the "Privileged Networks" section. Click the update button for the networks list. 2. Kolab 2.1 doesn't need some of the OpenPKG packages which were installed for 2.0, these can be removed: /kolab/bin/openpkg rpm -e dcron vim pth Especially the dcron package should be removed in any case, otherwise deprecated cronjobs will be run and generate mails with error messages to the kolab administrator. $Id: kolab_2.0_to_2.1_upgrade_instructions.txt,v 1.4 2006/11/15 17:37:40 thomas Exp $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://kolab.org/pipermail/kolab-announce/attachments/20061115/2f8649eb/attachment.bin From thomas at intevation.de Tue Dec 19 22:08:07 2006 From: thomas at intevation.de (Thomas Arendsen Hein) Date: Tue, 19 Dec 2006 22:08:07 +0100 Subject: [Kolab-announce] Kolab Security Issue 14 20061219 (clamav) Message-ID: <20061219210807.GA29508@intevation.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 14 20061219 ================================ Package: Kolab Server, ClamAV Vulnerability: bypass virus detection (CVE-2006-6406), denial of service, remotely exploitable (CVE-2006-6481) Kolab Specific: no Dependent Packages: none Summary ~~~~~~~ CVE-2006-6406 Hendrik Weimer discovered that invalid characters in base64 encoded data may lead to bypass of scanning mechanisms. CVE-2006-6481 Hendrik Weimer discovered that deeply nested multipart/mime MIME data may lead to denial of service. Affected Versions ~~~~~~~~~~~~~~~~~ This affects versions of ClamAV up to version 0.88.6. Kolab Server 2.0.4 and Kolab Server 2.1beta3 are vulnerable. Previous releases are affected. Fix ~~~ Upgrade to ClamAV 0.88.7. The ClamAV source RPM is available from the Kolab download mirrors as: security-updates/20061219/clamav-0.88.7-20061211.src.rpm A binary RPM for Kolab Server 2.0.4 (ix86 Debian GNU/Linux Sarge) is available: security-updates/20061219/clamav-0.88.7-20061211.ix86-debian3.1-kolab.rpm All other server versions: Please build from the src.rpm. The mirrors are listed on http://kolab.org/mirrors.html While the mirrors are catching up, you can also get the package via rsync: # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20061219/clamav-0.88.7-20061211.src.rpm . # rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20061219/clamav-0.88.7-20061211.ix86-debian3.1-kolab.rpm . MD5 sums: 7b19f8355d5f941422eb192671b0f814 clamav-0.88.7-20061211.ix86-debian3.1-kolab.rpm bc86262cb06aef7b7bdd2fc5b8a87368 clamav-0.88.7-20061211.src.rpm The package can be installed on your Kolab Server with # /kolab/bin/openpkg rpm --rebuild clamav-0.88.7-20061211.src.rpm # /kolab/bin/openpkg rc clamav stop # /kolab/bin/openpkg rpm \ -Uvh /kolab/RPM/PKG/clamav-0.88.7-20061211.--kolab.rpm # rm /kolab/etc/clamav/*.conf.rpmsave # /kolab/sbin/kolabconf # /kolab/bin/openpkg rc clamav start # su - kolab-r $ freshclam Details ~~~~~~~ http://sourceforge.net/project/shownotes.php?release_id=461171 http://sourceforge.net/project/shownotes.php?release_id=470383 ClamAV 0.88.6 and 0.88.7 release notes http://www.quantenblog.net/security/virus-scanner-bypass Bypassing Virus Scanners Using MIME Encoding Tricks http://www.securityfocus.com/bid/21461 Multiple Security Products MIME Encoding Content Filter Bypass Weakness (CVE-2006-6406) http://www.securityfocus.com/bid/21609 Clam Anti-Virus Attachment Wrapping Denial Of Service Vulnerability (CVE-2006-6481) Timeline ~~~~~~~~ 20061211 ClamAV release 0.88.7. 20061211 OpenPKG 0.88.7 package release. 20061219 Kolab Server security advisory published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFiFQoW7P1GVgWeRoRAgT4AJ9ERB2KHLqr3qu26t1AK8HDwobYSACcCxty L37T0yS8rdJpqLTO+u/ztN4= =xLcU -----END PGP SIGNATURE----- -- Email: thomas at intevation.de http://intevation.de/~thomas/