ConfigServer Services Blog

Fedora Core v5 LifeCycle Warning

For those that still insist on using Fedora Core in a production environment (which Fedora themselves do not recommend) be aware that Fedora Core 7 is due to be released in May. This means that support for Fedora Core 5 will be dropped a month later, meaning that you’ll have to upgrade your OS again unless you maintain all the installed applications yourself (a daunting task):http://fedoraproject.org/wiki/LifeCycleIf you want a more reliable (i.e. supported) OS then I would strongly recommend you choose RedHat Enterprise (3, 4 or 5) or the equivalent CentOS release, instead. These are enterprise level production OS’s which are supported for years, not months, as is the case for Fedora.

New csf v2.69

Changes:

  • Added back LF_DIRWATCH_DISABLE functionality securely
  • Fixed bug where a suspicious directory would not be removed with LF_DIRWATCH_DISABLE
  • Added perl module check for File : : Path
  • Added path configuration to tar and chattr in csf.conf
  • Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login failures. When upgrading the new setting will be set to whatever you have LF_FTPD set to

New csf v2.68 – Major Security Fix

Changes:

  • Security Fix – If you have LF_DIRWATCH_DISABLE on then this can lead to arbitray code being executed in the context of the user running lfd, i.e. root. This option has been disabled in the code until further notice. You will have to manually remove any reported files.
  • Tightened csf file ownerships on installation

*ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL EXPLOITATION*You can upgrade csf either through WHM or from the root shell using:

csf -u

New csf v2.67 – Major Security Fix

Changes:Security fix – A major security issue has been found (thanks to Jeff for informing us) in the LF_DIRWATCH code that can lead to arbitrary code being executed in the context of the user running lfd, i.e. root, if that option is enabled and a hacker has access to create a crafted filename in one of the watched directories. This update closes this hole.*ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL EXPLOITATION*You can upgrade csf either through WHM or from the root shell using:

csf -u

New ClamAV v0.90.2

ClamAV have released a new version with security fixes. It is advised that everyone upgrade to this new version, which you can now do through the MailScanner WHM UI.

Changes in this release include some security fixes in CHM, CAB and PDF code and better handling of network problems in freshclam.Please see ChangeLog for complete list of changes. **Important note**: on April 16th CHM, CAB and PDF handlers will be disabled for 0.90 and 0.90.1 users through the dynamic engine configuration module (DCONF). Please upgrade to 0.90.2 immediately.

New csf v2.66

Changes:

  • Modified LF_CPANEL text in csf.conf for new installations to reflect the change in the SSL login handling by cPanel (i.e. it does now log SSL login IP’s)
  • Modified the log line monitoring in lfd to cope with log line flooding to prevent looping/excessive resource usage. Also recoded without the use of the POSIX routines
  • lfd process name now shows which log file it is scanning

New ClamAV v0.90.1

ClamAV have released a new version that fixes a raft of things that they broke with the v0.90 release a few days ago. We will be releasing a new version of the MailScanner installer script shortly that fixes an incompatibility in MailScanner with the new v0.9* version of ClamAV.

New Mail::ClamAV v0.20

The day we release a patch workaround the Mail::ClamAV developer has finally released fixed code for ClamAV v0.90. It will take some time to get around all the cpan.org mirrors, but you can install it from source easily enough and then revert to virus scanners = clamavmodule in MailScanner.conf

wget http://cpan.pair.com/authors/id/S/SA/SABECK/Mail-ClamAV-0.20.tar.gztar -xzf Mail-ClamAV-0.20.tar.gz cd Mail-ClamAV-0.20perl Makefile.PL makemake installpico -w /usr/mailscanner/etc/MailScanner.conf

Virus Scanners = clamavmodule

service MailScanner restart

New ClamAV v0.90

We have previously guarded against upgrading to this latest version of ClamAV as the developer of the perl module Mail::ClamAV has not updated his code to support this updated version of the ClamAV engine.However, vulnerabilities have now been published for versions of ClamAV prior to v0.90 so it seems prudent to upgrade to it now.To do this we have repackaged the ClamAV v0.90 distribution and added code to convert MailScanner to use clamav instead of clamavmodule for its Virus Scanner.The downside of this change is that there is a potential increase in server load over using the perl module method.You can upgrade now through the WHM MailScanner UI. You can ignore the Mail::ClamAV errors at the bottom of the installation procedure, but do make sure that MailScanner starts correctly and send a test message through your system (check /var/log/maillog).For anyone using MailScanner without our Front-End, you can upgrade using the same repackaged distribution with…

wget http://license.configserver.com/clamav-0.90.tar.gztar -xzf clamav-*cd clamav-*./configure –disable-zlib-vcheckmakemake installreplace “Example” “#Example” — /usr/local/etc/freshclam.confreplace “Example” “#Example” — /usr/local/etc/clamd.conffreshclamcd ../bin/rm -Rf clamav-*service MailScanner restart