[e-smith-devinfo] Announcement: SMEServer Updates for PHP Vulnerability

[Rich Lafferty]

Mitel Networks Corporation is announcing a mandatory update to our SME Server
software to fix a widely publicized security issue with the PHP programming
language that we use for webmail and for dynamic content in i-bays.

        SMEServer-5.0_Update4
        SMEServer-5.1.1_Update1
        SMEServer-5.1.2_Update1

MITEL NETWORKS CLASSES THESE UPDATES AS MANDATORY. Failure to apply
these updates will leave your server vulnerable to unauthorized remote
access if you have enabled Webmail or have enabled PHP on any i-bay.

These updates address the following issue:

 - Remotely-exploitable buffer overflow in PHP file_upload handling
   routines. The original advisory on this vulnerability is available
   at

     http://security.e-matters.de/advisories/012002.html

   This update contains a permanent solution which replaces the
   workaround described in our initial advisory on the issue, at

     http://www.e-smith.org/article.php3?sid=57

   Applying this update will re-enable file uploads on your server if
   you disabled them as described in the temporary workaround in that
   advisory.

The appropriate update can be applied from the Blades panel of the
server manager.

NOTES:

1. Thirty seconds after the blade is installed, your webserver will
   restart in order to load the new PHP module.

2. SME SERVER 5.0 USERS:
 
   You must install SMEServer-5.0_Update2 prior to installing
   SMEServer-5.0_Update4. This is because Update2 includes a fix for
   large blades downloads that is required to install Update4.

   SMEServer-5.0_Update4 supercedes SMEServer-5.0_Update3, and includes
   all fixes from that previous update. You do not need to install
   SMEServer-5.0_Update3 before installing SMEServer-5.0_Update4.

   Since SMEServer-5.0_Update4 supercedes SMEServer-5.0_Update2 and
   Update3, the blades panel will report that SMEServer-5.0Update2 is
   not installed after installing SMEServer-5.0_Update4. This is
   normal behaviour and does not indicate that the contents of Update2
   and Update3 are no longer present.

Release notes can be found at:
http://www.e-smith.org/release/5.0/status/


-- 
------------------------------ Rich Lafferty ---------------------------
       Technical Support Engineer, Network Server Solutions Group
    Mitel Networks, Ottawa, ON                        (613) 751-4404
---------------------------- [EMAIL PROTECTED]  ------------------------

--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org