[Kroupware] Kolab security fixes

Tue Mar 16 16:20:34 CET 2004

On Thu, Jan 22, 2004, Paul Gargan wrote:

Paul,
I deferred my answer post OpenPKG 2.0 release and now found your inquiry
in my backlog.

> I'm a system administrator who recently started looking at Kolab with a 
> view to deploying it in our organisation. I'm wondering what approach is 
> taken to security patches for the various software components used in 
> the project.
> 
> Firstly, are the supplied versions of Apache, Postfix, etc custom built 
> for Kolab, or are they the vanilla source code provided by the 
> respective vendors?
> 
The term "custom built" is subject to discussion. You won't find many
applications that can be made work with the usual admin "./configure;
make; make install" triple. OpenPKG always tries this approach but
practice shows most packages need more or less tweaking to make them
work - and to make them fit into OpenPKG. All OpenPKG packages are
build from pristine vendor sources, this this one of the OpenPKG
tennets. There are typical customizations, i.e. whereever possible
shared libraries are avoided, most daemons using syslog(2) get OSSP
fakesysloglibrary attached, locations of configuration files and var
storage is adjusted and OpenPKG specific rc files are provided. So far,
there are lot's of things that could be different from other vendors and
most have to.

> Secondly, if a security hole is discovered in a Kolab component (e.g. 
> the root hole in Monit discovered last November) how is this treated?
> 
Kolab-1.x uses packages that were taken from OpenPKG 1.1. These packages
were customized for the Kroupware project. OpenPKG never supported those
customized packages. Also the oldest OpenPKG release supported currently
is 1.3.

All Kolab/Kroupware customizations were included into OpenPKG 2.0 making
it possible to create a installation which is backed up by OpenPKG
security support. The unmodified OpenPKG packages required to build a
Kolab server were copied to ZfOS verbatim and lots of binaries were
built using them.

> Are the patches released by the package authors backported into whatever 
> version is being used by Kolab? Or are these patches simply rolled up 
> into the next release of Kolab (leaving servers vunerable in the 
> interim)? Or is it up to server administrators to manually patch and 
> recompile?
> 
OpenPKG provides "no-brainer" updated replacement packages, see
http://www.openpkg.org/security.html UPD packages are *only* provided as
source packages.

--
Thomas.Lotterer at cw.com, Cable & Wireless