[Kolab-announce] Kolab Security Issue 11 20061002 (openssl)

Bernhard Herzog bh at intevation.de
Mon Oct 2 19:32:33 CEST 2006

-------------- next part --------------
Kolab Security Issue 11 20061002

Package:              openssl
Vulnerability:        denial of service
Kolab Specific:       no
Dependent Packages:   apache curl imap imapd openldap perl perl-crypto 
                      php postfix proftpd


According to a vendor security advisory, four security issues were
discovered in the cryptography toolkit OpenSSL: two denial of service
attacks when parsing ASN.1 structures, a buffer overflow when processing
a list of ciphers and an ssl client crash.

Affected Versions

OpenPKG packages of openssl-0.9.8a-2.5.2 or earlier are affected.  
Kolab Server 2.0.4 and previous releases of the 2.0 branch as well as
Kolab Server 2.1 beta 2 and previous releases of the 2.1 branch are

You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl


Note: The fix described here is for Kolab server 2.0.4 and 2.1 beta 2.
If you still run an older version, please upgrade to 2.0.1 or 2.1 beta 2
depending on the branch you are using.

Updated OpenPKG package for openssl are available from the usual kolab
mirrors under the directory security-updates/20061002/ .  While the
mirrors are catching up, you can also get the files via rsync: 
# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20061002/ .

Under that directory you'll find the following directory tree:


There is one branch for the Kolab server 2.0 updates and one for the 2.1
updates.  In each branch is a sources directory and one or more binary

If you installed the Kolab server from sources, download the sources
directory for your kolab server branch.  If you installed from binaries,
download the appropriate binaries directory for your kolab server

All directories contain the new OpenSSL package plus obmtool and
obmtool.conf files like a kolab release.  In addition, the binaries
directories contain updated binaries of the dependent packages.

In any case, download all files in the appropriate directory, chdir into
the downloaded directory and run

  /kolab/bin/openpkg rc all stop
  ./obmtool kolab

This will install the new openssl package and rebuild/reinstall the
dependent packages.  Afterwards start the server again, making sure to
regenerate the config files as you would for a normal Kolab server

For the Kolab server 2.1 branch, the upgrade of the postfix RPM requires
an additional manual step.  After the upgrade, the permissions of some
files in /kolab/etc/postfix are wrong and some .db files are missing.
An easy way to fix this after running kolabconf is to run the following
commands (as root):

    cd /kolab/etc/postfix
    chown root:kolab transport virtual


	OpenPKG Security Advisory OpenPKG-SA-2006.021

	OpenSSL Security Advisory on the vendor's site

	Common Vulnerabilities and Exposures (CVE): CAN-2006-2937

	Common Vulnerabilities and Exposures (CVE): CAN-2006-2940

	Common Vulnerabilities and Exposures (CVE): CAN-2006-3738

	Common Vulnerabilities and Exposures (CVE): CAN-2006-4343

    20060928 OpenSSL vendor released patch and new versions containing the fix
    20060928 OpenPKG created new package containing the fix
    20061002 Kolab update and security advisory published
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/announce/attachments/20061002/7c759dd8/attachment.sig>

More information about the announce mailing list