-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 12 20061009
================================

Package:              openssl
Vulnerability:        denial of service, may allow execution of arbitrary code
Kolab Specific:       no
Dependent Packages:   apache curl imap imapd openldap perl perl-crypto
                      php postfix proftpd


Summary
~~~~~~~

The openssl package for the Kolab Server 2.0 branch from the previous
Kolab Security Issue, No. 11 from 20061002, introduced a new problem
together with the fix for CVE-2006-2940.  The new problem is the
possible use of an uninitialized local variable which may lead to
program crashes and may allow execution of arbitrary code.


Affected Versions
~~~~~~~~~~~~~~~~~

The updated RPMs from Kolab Security Issue 11 for the Kolab Server 2.0
are affected.  More specifically, it affects the
openssl-0.9.7l-20061002_kolab RPM and dependent packages.

The updated RPMs for the Kolab Server 2.1 branch are NOT affected.  The
openssl RPM from OpenPKG used for that branch already contains the fix
for the new problem.


Fixes
~~~~~

Note: The fix described here is for Kolab Server 2.0.4.  If you still
run an older version, please upgrade to 2.0.4 first.  You do not need to
apply Kolab Security Issue 11 because this update completely replaces
it.

An updated OpenPKG package for openssl is available from the usual kolab
mirrors under the directory security-updates/20061009/ .  While the
mirrors are catching up, you can also get the files via rsync: 
# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20061009/ .

Under that directory there is one directory with the new source RPMs
(sources/) and one with updated RPMs for Debian sarge (ix86-debian3.1)
If you installed the Kolab Server from sources, download the sources
directory for your kolab Server branch.  If you installed from binaries,
download the appropriate binaries directory for your Kolab Server
branch.

Both directories contain the new OpenSSL package plus obmtool and
obmtool.conf files like a Kolab release.  In addition, the binary
directory contains updated binaries of the dependent packages.

In any case, download all files in the appropriate directory, chdir into
the downloaded directory and run

  /kolab/bin/openpkg rc all stop
  ./obmtool kolab

This will install the new openssl package and rebuild/reinstall the
dependent packages.  Afterwards start the server again, making sure to
regenerate the config files as you would for a normal Kolab Server
update.


Details
~~~~~~~
http://kolab.org/security/kolab-vendor-notice-11.txt
	Kolab Security Notice 11 with the updates

http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
	OpenPKG Security Advisory OpenPKG-SA-2006.021

http://www.openssl.org/news/secadv_20060928.txt
	OpenSSL Security Advisory on the vendor's site

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
	Common Vulnerabilities and Exposures (CVE): CAN-2006-2940


Timeline
~~~~~~~~
    20060928 OpenSSL vendor released patch and new versions containing the fix
    20060928 OpenPKG created new package containing the fix
    20061002 Kolab update and security advisory 11 published
    20061009 Kolab update and security advisory 12 published

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFKnph0vCiU5+ISsgRAkYXAKC51EsPh8uLW5tSZKQPY2Slo4YhrwCgsy7u
bhK7HbjKfbj+ZT+q9hV2KIQ=
=rCns
-----END PGP SIGNATURE-----