OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 05-May-2004 16:25:55
Branch: HEAD Handle: 2004050515255500
Modified files:
openpkg-web/security OpenPKG-SA-2004.019-kolab.txt
Log:
release OpenPKG Security Advisory 2004.019 (kolab)
Summary:
Revision Changes Path
1.2 +22 -16 openpkg-web/security/OpenPKG-SA-2004.019-kolab.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.019-kolab.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.019-kolab.txt
--- openpkg-web/security/OpenPKG-SA-2004.019-kolab.txt 5 May 2004 13:18:56
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2004.019-kolab.txt 5 May 2004 14:25:55
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -20,31 +23,30 @@
Dependent Packages: none
Description:
- Luca Villani reported [1] disclosure of critical configuration
+ Luca Villani reported [1] the disclosure of critical configuration
information within Kolab [2], the KDE Groupware server. The affected
versions store OpenLDAP passwords in plain text. The heart of Kolab
is an engine written in Perl that rewrites configuration for certain
applications based on templates. OpenPKG packages come with both
the genuine and a modular replacement engine, both creating wrong
- permissions. The genuine engine is part of the kolab package and the
- replacement engine is a module in the perl-kolab package. The build()
- function in both engines left slapd.conf world-readable exhibiting
- the rootpw.
+ permissions. The genuine engine is part of the "kolab" package and
+ the replacement engine is a module in the "perl-kolab" package. The
+ build() function in both engines left slapd.conf world-readable
+ exhibiting the OpenLDAP "rootpw".
Please check whether you are affected by running "<prefix>/bin/rpm -q
kolab". If you have the "kolab" package installed and its version is
affected (see above), we recommend that you immediately upgrade it
- (see Solution) and its dependent packages (see above), if any, too
- [3][4].
+ (see Solution) [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [5][5], fetch it from the OpenPKG FTP service [7][6] or a mirror
- location, verify its integrity [7], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the
- binary RPM [4]. For the most recent release OpenPKG 2.0, perform the
- following operations to permanently fix the security problem (for
- other releases adjust accordingly).
+ [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
+ verify its integrity [7], build a corresponding binary RPM from it
+ [3] and update your OpenPKG installation by applying the binary RPM
+ [4]. For the most recent release OpenPKG 2.0, perform the following
+ operations to permanently fix the security problem (for other releases
+ adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -55,9 +57,6 @@
$ <prefix>/bin/openpkg rpm --rebuild kolab-20040217-2.0.2.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/kolab-20040217-2.0.2.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too [3][4].
________________________________________________________________________
References:
@@ -77,3 +76,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQFAmPlfgHWT4GPEy58RAmh1AJ0UgFibDQE9uk64FmjgUe9o86goMgCgxtby
+xBmfRHC1CpRnUPaZJntQMpg=
+=1G7c
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
