Topic: Security update for SME Server 8.0

[wellsi]

--------------------------------------------------------------------------------
SME Server Update Notification
2010-11-13
--------------------------------------------------------------------------------

Name        : proftpd
Product     : SME 8
Version     : 1.3.3c
Release     : 1.el5
URL         : [http://www.proftpd.org/]
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
--------------------------------------------------------------------------------
Update Information:

The ProFTPD Project team has released 1.3.3c to the community. This is an
important security release, containing fixes for a Telnet IAC handling
vulnerability and a directory traversal vulnerability in the mod_site_misc
module. References [1] & [2] below contain the full details.

--------------------------------------------------------------------------------
ChangeLog:

* Mon Nov 01 2010 Paul Howarth <paul@city-fan.org> 1.3.3c-1

- Update to 1.3.3c (#647965)
- Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925)
- Fixed directory traversal bug in mod_site_misc (CVE-2010-3867)
- Fixed SQLite authentications using "SQLAuthType Backend"
- New DSO module: mod_geoip

--------------------------------------------------------------------------------
References:

  [ 1 ] Release Notes from ProFTPD
        http://proftpd.org/docs/RELEASE_NOTES-1.3.3c

  [ 2 ] News from ProFTPD
        http://proftpd.org/docs/NEWS-1.3.3c

  [ 3 ] Telnet IAC processing stack overflow
        http://bugs.proftpd.org/show_bug.cgi?id=3521

  [ 4 ] Bug 6365 - ProFTPd remote rootexploit
        http://bugs.contribs.org/show_bug.cgi?id=6365
--------------------------------------------------------------------------------
Updated packages:

proftpd-1.3.3c-1.el5.i386.rpm
proftpd-1.3.3c-1.el5.src.rpm

This update can be installed with the Software Installer from the Server Manager.
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#Software_Installer_Panel
--------------------------------------------------------------------------------

[fpausp]

Hi,

I got this on my sme8b6 with contribs installed (sogo) and on a fresh installed sme8b6:
Please take a look on it, I dont know if this is a bug or not.

Code: [Select]

[root@sme8kvm ~]# yum update --exclude=libevent
Loaded plugins: fastestmirror, protect-packages, smeserver
Loading mirror speeds from cached hostfile
 * base: mirror.atrpms.net
 * smeaddons: sme-mirror.firewall-services.com
 * smeextras: sme-mirror.firewall-services.com
 * smeos: sme-mirror.firewall-services.com
 * smeupdates: sme-mirror.firewall-services.com
 * updates: mirror.silyus.net
Excluding Packages in global exclude list
Finished
Excluding Packages from CentOS - os
Finished
Excluding Packages from CentOS - updates
Finished
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package e-smith-backup.noarch 0:2.2.0-45.el5.sme set to be updated
---> Package e-smith-email.noarch 0:5.2.0-10.el5.sme set to be updated
---> Package e-smith-formmagick.noarch 0:2.2.0-4.el5.sme set to be updated
---> Package e-smith-hosts.noarch 0:2.2.0-6.el5.sme set to be updated
---> Package e-smith-pop3.noarch 0:2.2.0-3.el5.sme set to be updated
--> Processing Dependency: checkpassword-pam for package: e-smith-pop3
---> Package e-smith-proxy.noarch 0:5.2.0-4.el5.sme set to be updated
---> Package e-smith-qmail.noarch 0:2.2.0-5.el5.sme set to be updated
---> Package e2fsprogs.i386 0:1.39-23.el5_5.1 set to be updated
---> Package e2fsprogs-libs.i386 0:1.39-23.el5_5.1 set to be updated
---> Package proftpd.i386 0:1.3.3c-1.el5 set to be updated
--> Processing Dependency: libGeoIP.so.1 for package: proftpd
---> Package python.i386 0:2.4.3-27.el5_5.3 set to be updated
---> Package smeserver-locale-bg.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-da.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-de.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-el.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-es.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-et.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-fr.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-he.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-hu.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-id.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-it.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-ja.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-nb.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-nl.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-pl.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-pt.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-pt_BR.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-ro.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-ru.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-sl.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-sv.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-th.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-tr.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-zh_CN.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-locale-zh_TW.noarch 0:2.2.0-35.el5.sme set to be updated
---> Package smeserver-yum.noarch 0:2.2.0-18.el5.sme set to be updated
--> Running transaction check
---> Package GeoIP.i386 0:1.4.7-0.1.20090931cvs.el5 set to be updated
---> Package e-smith-pop3.noarch 0:2.2.0-3.el5.sme set to be updated
--> Processing Dependency: checkpassword-pam for package: e-smith-pop3
--> Finished Dependency Resolution
e-smith-pop3-2.2.0-3.el5.sme.noarch from smeupdates has depsolving problems
  --> Missing Dependency: checkpassword-pam is needed by package e-smith-pop3-2.2.0-3.el5.sme.noarch (smeupdates)
Error: Missing Dependency: checkpassword-pam is needed by package e-smith-pop3-2.2.0-3.el5.sme.noarch (smeupdates)
 You could try using --skip-broken to work around the problem
 You could try running: package-cleanup --problems
                        package-cleanup --dupes
                        rpm -Va --nofiles --nodigest
The program package-cleanup is found in the yum-utils package.


[cactus]

I got this on my sme8b6 with contribs installed (sogo) and on a fresh installed sme8b6:
Please take a look on it, I dont know if this is a bug or not.

Issues with updates on SME Server 8 should always be reported as a bug. Please report a bug and post back a reference to it here. Thanks in advance.

[fpausp]

OK,

http://bugs.contribs.org/show_bug.cgi?id=6367

[wellsi]

Thanks, I'll follow-up in the bug but also a quick summary here.

After the security update for SME8 some verified packages were in the process of being moved to smeupdates, one of these had a dependency as shown above that had not been transferred at the same time. This has already been resolved, but will take some time (a few hours) to reach the mirrors.

[fpausp]

Thanks.