Re: problems with libssl security update
On Thu, Nov 10, 2005 at 12:35:22PM -0800, alex black wrote: > hi all, > > I'm running a locally patched version of libsasl2, look here: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328879 > > to see why. (basically, once you compile libsasl2 --with-authdaemond, > authentication with virtual mail users works perfectly and the whole > system w/postfix and courier becomes easy to set up and maintain)... > until now: > > The libssl security update b0rked TLS on my mail server: courier can't > speak pop3 ssl or imap ssl, and postfix can't speak TLS. Could you please specify which version of libssl we're talking about? It this libssl0.9.7, libssl0.9.8, and what version? Or maybe some older version? There have been bugs in libssl0.9.8, but then I have to wonder how this "security update" affects this. If it is a security update, it's most likely about libssl0.9.7, and there are no known problems with it having that effect. The latest version of libssl0.9.8 in testing should fix all known bugs with it. But it also triggers bugs in other packages that don't properly call SSL_library_init() or equivalent. It seems that cyrus-sasl2 does not call any of those functions, so I suggest you look at that. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
problems with libssl security update
hi all, I'm running a locally patched version of libsasl2, look here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328879 to see why. (basically, once you compile libsasl2 --with-authdaemond, authentication with virtual mail users works perfectly and the whole system w/postfix and courier becomes easy to set up and maintain)... until now: The libssl security update b0rked TLS on my mail server: courier can't speak pop3 ssl or imap ssl, and postfix can't speak TLS. So the first thing I did was rebuild my debs, thinking that would just refresh their links with libssl, no dice. Anyone else having problems with build versions of libsasl2? Assuming anyone else is running them? Anyone else have problems with any other packages and thew libssl update? danke, _alex -- alex black, founder the turing studio, inc. 510.666.0074 [EMAIL PROTECTED] http://www.turingstudio.com 2600 10th street, suite 635 berkeley, ca 94710 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsuscribe
Martin Schulze wrote: > -- > Debian Security Advisory DSA 887-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > November 7th, 2005 http://www.debian.org/security/faq > -- > > Package: clamav > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE IDs: CVE-2005-3239 CVE-2005-3303 CVE-2005-3500 CVE-2005-3501 > > Several vulnerabilities have been discovered in Clam AntiVirus, the > antivirus scanner for Unix, designed for integration with mail servers > to perform attachment scanning. The Common Vulnerabilities and > Exposures project identifies the following problems: > > CVE-2005-3239 > > The OLE2 unpacker allows remote attackers to cause a segmentation > fault via a DOC file with an invalid property tree, which triggers > an infinite recursion. > > CVE-2005-3303 > > A specially crafted executable compressed with FSG 1.33 could > cause the extractor to write beyond buffer boundaries, allowing an > attacker to execute arbitrary code. > > CVE-2005-3500 > > A specially crafted CAB file could cause ClamAV to be locked in an > infinite loop and use all available processor resources, resulting > in a denial of service. > > CVE-2005-3501 > > A specially crafted CAB file could cause ClamAV to be locked in an > infinite loop and use all available processor resources, resulting > in a denial of service. > > The old stable distribution (woody) does not contain clamav packages. > > For the stable distribution (sarge) these problems have been fixed in > version 0.84-2.sarge.6. > > For the unstable distribution (sid) these problems have been fixed in > version 0.87.1-1. > > We recommend that you upgrade your clamav packages. > > > Upgrade Instructions > > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.1 alias sarge > > > Source archives: > > > http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6.dsc > Size/MD5 checksum: 872 dbecf7f7f16f69bdbad77a24106f7779 > > http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6.diff.gz > Size/MD5 checksum: 177500 64ba2a8ad84cc961a564eaac4d65a642 > > http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz > Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.6_all.deb > Size/MD5 checksum: 154598 3a979fedbb1102fbe4c710621513ec4f > > http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.6_all.deb > Size/MD5 checksum: 690218 4143f2f7719c3a359e9c2c7079a9674f > > http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.6_all.deb > Size/MD5 checksum: 123568 2ac5e526c3063a704f68233a56b1d9a3 > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_alpha.deb > Size/MD5 checksum:74682 a8a3aa80c3030c5541d5444f7dfb5e39 > > http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_alpha.deb > Size/MD5 checksum:48774 64a2bfb8d0578085b4e64853a2c4686f > > http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_alpha.deb > Size/MD5 checksum: 2176366 88cce725133f000ca90f2db1cf05561f > > http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_alpha.deb > Size/MD5 checksum:42114 b8c7c0ca88544cdaaba1b8a397cd8d83 > > http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_alpha.deb > Size/MD5 checksum: 255164 b245e6b7b72e215738a9ebabd5bf81f2 > > http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_alpha.deb > Size/MD5 checksum: 284690 377a0ba8c870ab5bfab6fe41cf8fb123 > > AMD64 architecture: > > > http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_amd64.deb > Size/MD5 checksum:68874 f5d18144c18d86fbf2151d365e55da1c > > http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_amd64.deb > Size/MD5 checksum:44190 58d96c1544570a9e54be0d24a66f8aa5 > > http://security
