bh: doc/www/src/security kolab-vendor-notice-04.txt,1.1,1.2
cvs at intevation.de
cvs at intevation.de
Fri Oct 14 22:41:03 CEST 2005
Author: bh
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv16705/www/src/security
Modified Files:
kolab-vendor-notice-04.txt
Log Message:
Update instructions.
sign the advisory.
Index: kolab-vendor-notice-04.txt
===================================================================
RCS file: /kolabrepository/doc/www/src/security/kolab-vendor-notice-04.txt,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- kolab-vendor-notice-04.txt 14 Oct 2005 10:49:43 -0000 1.1
+++ kolab-vendor-notice-04.txt 14 Oct 2005 20:41:01 -0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
Kolab Security Issue 04 20051014
================================
@@ -8,7 +11,7 @@
Summary
--------
+- -------
According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
@@ -20,7 +23,7 @@
Affected Versions
------------------
+- -----------------
OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
@@ -29,36 +32,45 @@
Fixes
------
-
-Since SSLv2 can't be disabled via a configuration setting for all services
-running on a Kolab server, the OpenSSL package has to be updated.
+- -----
-Install OpenPKG package openssl-0.9.7g-2.4.2:
+Note: The fix described here is for Kolab server 2.0.1. If you still
+run an older version, please upgrade to 2.0.1 first.
-A new OpenSSL RPM is available from the Kolab download mirrors as
-security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm
+Since SSLv2 can't be disabled via a configuration setting for all
+services running on a Kolab server, the OpenSSL package has to be
+updated and the dependent packages have to be rebuilt so that they use
+the new OpenSSL version.
-A binary RPM for Debian woody (ix86) is available as
-security-updates/20051014/openssl-0.9.7g-2.4.2.ix86-debian3.0-kolab.rpm
+The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the
+usual kolab mirrors under the directory security-updates/20051014/ .
+While the mirrors are catching up, you can also get the files via rsync:
+# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 .
-The mirrors are listed on http://kolab.org/mirrors.html
+If you have installed the Kolab server from sources, download the
+directory security-updates/20051014/sources/
-While the mirrors are catching up, you can also get the package via rsync:
-# rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm .
+If you installed the ix86-debian3.0 binaries, download
+security-updates/20051014/ix86-debian3.0/
+Both directories contain the new OpenSSL package plus obmtool and
+obmtool.conf like in a kolab release. In addition, the ix86-debian3.0
+directory contains updated binaries of the dependent packages.
-This package can be installed on your Kolab Server with
+In both cases, download all files in the appropriate directory, chdir
+into the downloaded directory and run
-# /kolab/bin/openpkg rpm --rebuild openssl-0.9.7g-2.4.2.src.rpm
-# /kolab/bin/openpkg rpm \
- -Uvh /kolab/RPM/PKG/openssl-0.9.7g-2.4.2.<ARCH>-<OS>-kolab.rpm
+ /kolab/bin/openpkg rc all stop
+ ./obmtool kolab
-FIXME: recompile dependent packages, restart servers
+This will install the new openssl package and rebuild/reinstall the
+dependent packages. Afterwards start the server again, making sure to
+regenerate the config files as you would for a normal Kolab server
+update.
Details
--------
+- -------
http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html
OpenPKG Security Advisory OpenPKG-SA-2005.022
@@ -71,7 +83,15 @@
Timeline
---------
+- --------
20051011 OpenSSL vendor released patch and new versions containing the fix
20051011 OpenPKG created new package containing the fix, not yet announced
20051014 Kolab update and security advisory published
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.1 (GNU/Linux)
+
+iD8DBQFDUBdo0vCiU5+ISsgRApj4AKDIZhknDia/OrolG4yUGaC3JZwRWQCfXbyw
+b6sFUXJ80PKVQkgbLbQDSNo=
+=ff+w
+-----END PGP SIGNATURE-----
More information about the commits
mailing list