bh: doc/www/src/security kolab-vendor-notice-04.txt,1.1,1.2

cvs at intevation.de cvs at intevation.de
Fri Oct 14 22:41:03 CEST 2005 

Author: bh

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv16705/www/src/security

Modified Files:
	kolab-vendor-notice-04.txt 
Log Message:
Update instructions.  
sign the advisory.


Index: kolab-vendor-notice-04.txt
===================================================================
RCS file: /kolabrepository/doc/www/src/security/kolab-vendor-notice-04.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- kolab-vendor-notice-04.txt	14 Oct 2005 10:49:43 -0000	1.1
+++ kolab-vendor-notice-04.txt	14 Oct 2005 20:41:01 -0000	1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 Kolab Security Issue 04 20051014
 ================================
 
@@ -8,7 +11,7 @@
 
 
 Summary
--------
+- -------
 
 According to a vendor security advisory, a potential SSL 2.0 protocol
 rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
@@ -20,7 +23,7 @@
 
 
 Affected Versions
------------------
+- -----------------
 
 OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
 Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
@@ -29,36 +32,45 @@
 
 
 Fixes
------
-
-Since SSLv2 can't be disabled via a configuration setting for all services
-running on a Kolab server, the OpenSSL package has to be updated.
+- -----
 
-Install OpenPKG package openssl-0.9.7g-2.4.2:
+Note: The fix described here is for Kolab server 2.0.1.  If you still
+run an older version, please upgrade to 2.0.1 first.
 
-A new OpenSSL RPM is available from the Kolab download mirrors as
-security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm
+Since SSLv2 can't be disabled via a configuration setting for all
+services running on a Kolab server, the OpenSSL package has to be
+updated and the dependent packages have to be rebuilt so that they use
+the new OpenSSL version.
 
-A binary RPM for Debian woody (ix86) is available as
-security-updates/20051014/openssl-0.9.7g-2.4.2.ix86-debian3.0-kolab.rpm
+The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the
+usual kolab mirrors under the directory security-updates/20051014/ .
+While the mirrors are catching up, you can also get the files via rsync:
+# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 .
 
-The mirrors are listed on http://kolab.org/mirrors.html
+If you have installed the Kolab server from sources, download the
+directory security-updates/20051014/sources/
 
-While the mirrors are catching up, you can also get the package via rsync:
-# rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm .
+If you installed the ix86-debian3.0 binaries, download
+security-updates/20051014/ix86-debian3.0/
 
+Both directories contain the new OpenSSL package plus obmtool and
+obmtool.conf like in a kolab release.  In addition, the ix86-debian3.0
+directory contains updated binaries of the dependent packages.
 
-This package can be installed on your Kolab Server with
+In both cases, download all files in the appropriate directory, chdir
+into the downloaded directory and run
 
-# /kolab/bin/openpkg rpm --rebuild openssl-0.9.7g-2.4.2.src.rpm
-# /kolab/bin/openpkg rpm \
-  -Uvh /kolab/RPM/PKG/openssl-0.9.7g-2.4.2.<ARCH>-<OS>-kolab.rpm
+  /kolab/bin/openpkg rc all stop
+  ./obmtool kolab
 
-FIXME: recompile dependent packages, restart servers
+This will install the new openssl package and rebuild/reinstall the
+dependent packages.  Afterwards start the server again, making sure to
+regenerate the config files as you would for a normal Kolab server
+update.
 
 
 Details
--------
+- -------
 
 http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html
 	OpenPKG Security Advisory OpenPKG-SA-2005.022
@@ -71,7 +83,15 @@
 
 
 Timeline
---------
+- --------
     20051011 OpenSSL vendor released patch and new versions containing the fix
     20051011 OpenPKG created new package containing the fix, not yet announced
     20051014 Kolab update and security advisory published
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.1 (GNU/Linux)
+
+iD8DBQFDUBdo0vCiU5+ISsgRApj4AKDIZhknDia/OrolG4yUGaC3JZwRWQCfXbyw
+b6sFUXJ80PKVQkgbLbQDSNo=
+=ff+w
+-----END PGP SIGNATURE-----

More information about the commits mailing list