security fixes

Doug Finch dfinch at bynari.net
Thu May 26 22:27:43 CEST 2011


Gavin,
 I sent an email to Georg back in January about whether Kolab was
aware of PCI compliance.  It is a HUGE issue here in the US and you
will lose a customer if your product doesn't pass PCI/DSS (Payment
Card Industry/Data Security Standard) compliance.  This is a standard
for any company that accepts credit card payments online in the US. 
It is a scheduled security compliance/vulnerability assessment process
that these companies must pass to keep their ability to do online
credit card transactions.
https://www.pcisecuritystandards.org/security_standards/index.php
[1]One of my developers notified me of the Cyrus IMAP vulnerabilities
that you are undoubtedly alluding to.  I too was hoping that Kolab
would be more aggressive in keeping the software updated.  When I sent
the initial email to Georg, he told me that, "As to the PCI
assessment, these indeed seem irrelevant outside the US".  I will say
that Georg was more than willing for us to send him a detailed outline
of the items that failed PCI compliance and that he would do
everything in his power to rectify them in time for the 2.3 release. I
think there is some mutual benefit that can be derived by all if these
PCI standards for security were put in place by Kolab.  The standards
are not outlandish - or unique to the US.  It basically states that if
a known vulnerability exists in the software, and there is an
upgrade/update (patch) available to fix this, then the fix must be
applied.  These could be done as updates, between release schedules
and then a consolidated update of all fixes during the major releases
of the server.  I think these vulnerabilities are of concern to all,
not just the US.Thanks,
 Doug Finch
 Bynari ------ Original Message ------
 From: Gavin McCullagh 
 Date: Thursday, May 26th, 2011 11:36 AM CDT
 To: Kolab Users List 
 Subject: Re: security fixes

 Hi guys,

 I don't mean to be a pain, but has anyone got an answer on this. It's
 pretty important to us and I imagine other users.

 Gavin

 On Wed, 11 May 2011, Gavin McCullagh wrote:

 > Hi,
 > 
 > there have been several security bugs in Postfix recently (and I
believe
 > there was one in Cyrus). I realise Kolab is a small operation, but
I've
 > not seen much in the way of security disclosures. 
 > 
 > I see these, the last one of which was 16 months ago. 
 > 
 > http://www.kolab.org/security/kolab-vendor-notice-27.txt
 > 
 > Is that really the last security flaw in the kolab distribution?
 > 
 > Gavin
 > 
 > ----- Forwarded message from Marc Deslauriers  -----
 > 
 > From: Marc Deslauriers 
 > Subject: [USN-1131-1] Postfix vulnerability
 > To: ubuntu-security-announce at lists.ubuntu.com
 > Cc: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com
 > Date: Wed, 11 May 2011 05:54:37 -0400
 > Reply-To: ubuntu-users at lists.ubuntu.com, Ubuntu Security 
 > 
 >
==========================================================================
 > Ubuntu Security Notice USN-1131-1
 > May 11, 2011
 > 
 > postfix vulnerability
 >
==========================================================================
 > 
 > A security issue affects these releases of Ubuntu and its
derivatives:
 > 
 > - Ubuntu 11.04
 > - Ubuntu 10.10
 > - Ubuntu 10.04 LTS
 > - Ubuntu 8.04 LTS
 > - Ubuntu 6.06 LTS
 > 
 > Summary:
 > 
 > An attacker could send crafted input to Postfix and cause it to
crash or
 > run programs.
 > 
 > Software Description:
 > - postfix: High-performance mail transport agent
 > 
 > Details:
 > 
 > Thomas Jarosch discovered that Postfix incorrectly handled
authentication
 > mechanisms other than PLAIN and LOGIN when the Cyrus SASL library
is used.
 > A remote attacker could use this to cause Postfix to crash, leading
to a
 > denial of service, or possibly execute arbitrary code as the
postfix user.
 > 
 > Update instructions:
 > 
 > The problem can be corrected by updating your system to the
following
 > package versions:
 > 
 > Ubuntu 11.04:
 > postfix 2.8.2-1ubuntu2.1
 > 
 > Ubuntu 10.10:
 > postfix 2.7.1-1ubuntu0.2
 > 
 > Ubuntu 10.04 LTS:
 > postfix 2.7.0-1ubuntu0.2
 > 
 > Ubuntu 8.04 LTS:
 > postfix 2.5.1-2ubuntu1.4
 > 
 > Ubuntu 6.06 LTS:
 > postfix 2.2.10-1ubuntu0.4
 > 
 > In general, a standard system update will make all the necessary
changes.
 > 
 > References:
 > CVE-2011-1720
 > 
 > Package Information:
 > https://launchpad.net/ubuntu/+source/postfix/2.8.2-1ubuntu2.1
 > https://launchpad.net/ubuntu/+source/postfix/2.7.1-1ubuntu0.2
 > https://launchpad.net/ubuntu/+source/postfix/2.7.0-1ubuntu0.2
 > https://launchpad.net/ubuntu/+source/postfix/2.5.1-2ubuntu1.4
 > https://launchpad.net/ubuntu/+source/postfix/2.2.10-1ubuntu0.4
 > 
 > 
 > 
 > 
 > 
 > -- 
 > ubuntu-security-announce mailing list
 > ubuntu-security-announce at lists.ubuntu.com
 > Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
 > 
 > 
 > ----- End forwarded message -----
 > 
 > -- 
 > Gavin McCullagh
 > Senior System Administrator
 > IT Services
 > Griffith College 
 > South Circular Road
 > Dublin 8
 > Ireland
 > Tel: +353 1 4163365
 > http://www.gcd.ie
 > http://www.gcd.ie/brochure.pdf
 > http://www.gcd.ie/opendays
 > http://www.gcd.ie/ebrochure
 > 
 > This E-mail is from Griffith College.
 > The E-mail and any files transmitted with it are confidential and
may be
 > privileged and are intended solely for the use of the individual or
entity
 > to whom they are addressed. If you are not the addressee you are
prohibited
 > from disclosing its content, copying it or distributing it
otherwise than to
 > the addressee. If you have received this e-mail in error, please
immediately
 > notify the sender by replying to this e-mail and delete the e-mail
from your
 > computer.
 > 
 > Bellerophon Ltd, trades as Griffith College (registered in Ireland
No.
 > 60469) with its registered address as Griffith College Campus,
South
 > Circular Road, Dublin 8, Ireland.
 > 
 > _______________________________________________
 > Kolab-users mailing list
 > Kolab-users at kolab.org
 > https://kolab.org/mailman/listinfo/kolab-users

 -- 
 Gavin McCullagh
 Senior System Administrator
 IT Services
 Griffith College 
 South Circular Road
 Dublin 8
 Ireland
 Tel: +353 1 4163365
 http://www.gcd.ie
 http://www.gcd.ie/brochure.pdf
 http://www.gcd.ie/opendays
 http://www.gcd.ie/ebrochure

 This E-mail is from Griffith College.
 The E-mail and any files transmitted with it are confidential and may
be
 privileged and are intended solely for the use of the individual or
entity
 to whom they are addressed. If you are not the addressee you are
prohibited
 from disclosing its content, copying it or distributing it otherwise
than to
 the addressee. If you have received this e-mail in error, please
immediately
 notify the sender by replying to this e-mail and delete the e-mail
from your
 computer.

 Bellerophon Ltd, trades as Griffith College (registered in Ireland
No.
 60469) with its registered address as Griffith College Campus, South
 Circular Road, Dublin 8, Ireland.

 _______________________________________________
 Kolab-users mailing list
 Kolab-users at kolab.org
 https://kolab.org/mailman/listinfo/kolab-users
  

Links:
------
[1] https://www.pcisecuritystandards.org/security_standards/index.php





More information about the users mailing list