[BlueOnyx:01483] SMTP AUTH - on issue.
Steve Davis
steve at zio.com
Wed Jun 24 10:52:29 -05 2009
Applied the Yum patches today.
noticed that email submissions went thought the roof, from Russia.
Turned off SMTP AUTH and the hack submissions stopped.
Is there an issue here?
-----------------------------------
Stephen Davis
1519 Toney Drive
Huntsville Alabama 35802
Office 256.513-6760
-----------------------------------
I like the dreams of the future better than the history of the past.
When you were born, you cried and the world rejoiced.
Live your life so that when you die, the world cries and you rejoice.
----- Original Message -----
From: blueonyx-request at blueonyx.it [mailto:blueonyx-request at blueonyx.it]
To: blueonyx at blueonyx.it
Sent: Wed, 24 Jun 2009 10:26:50 -0400
Subject: [Spam?] Blueonyx Digest, Vol 6, Issue 29
Send Blueonyx mailing list submissions to
blueonyx at blueonyx.it
To subscribe or unsubscribe via the World Wide Web, visit
http://www.blueonyx.it/mailman/listinfo/blueonyx
or, via email, send a message with subject or body 'help' to
blueonyx-request at blueonyx.it
You can reach the person managing the list at
blueonyx-owner at blueonyx.it
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Blueonyx digest..."
Today's Topics:
1. [BlueOnyx:01474] YUM updates released (security update!)
(Michael Stauber)
2. [BlueOnyx:01475] Re: msi lcd drivers (Michael Stauber)
3. [BlueOnyx:01476] Re: msi lcd drivers (Maurice de Laat)
4. [BlueOnyx:01477] CMU and site administrators (Robert Fitzpatrick)
5. [BlueOnyx:01478] Re: CMU and site administrators
(Tobias Gablunsky)
6. [BlueOnyx:01479] Yum Support (T. K. Hughes)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Jun 2009 01:40:37 +0200
From: Michael Stauber <mstauber at blueonyx.it>
Subject: [BlueOnyx:01474] YUM updates released (security update!)
To: "BlueOnyx General Mailing List" <blueonyx at blueonyx.it>
Message-ID: <200906240140.37656.mstauber at blueonyx.it>
Content-Type: text/plain; charset="utf-8"
Hi all,
The HTML version of this message is available here:
http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=35&cntnt01origid=51&cntnt01returnid=54
Updates for BlueOnyx were released today are are now available through YUM.
**** This is an important security update and you should install it ASAP. ****
==========
Package
==========
Updating:
base-user-capstone
base-user-glue
base-user-locale-da_DK
base-user-locale-de_DE
base-user-locale-en
base-user-locale-ja
base-user-ui
base-vsite-capstone
base-vsite-glue
base-vsite-locale-da_DK
base-vsite-locale-de_DE
base-vsite-locale-en
base-vsite-locale-ja
base-vsite-ui
Transaction Summary
============================
Install 0 Package(s)
Update 14 Package(s)
Remove 0 Package(s)
These package addresses the following issues:
base-user & base-vsite:
===================
Important security update: This update closes a vulnerability that allowed
suspended users (or users of a suspended site) to still send emails using
SMTP-Auth.
IMPORTANT: If you have any suspended sites or users on your server, please be
sure to manually run this command from SSH as root:
/usr/sausalito/sbin/fix_user_suspension.pl
That will make sure that suspended users (or users of a suspended site) get
deactivated in the underlying authentication mechanism.
Detailed explanation:
=================
This security vulnerability has been in the code since the RaQ550 - but it
only surfaced when the feature SMTP-Auth was added to the (then) BlueQuartz
code base.
If you suspended a user or a virtual site, then the GUI (so far) simply
changed the permissions of that user home directory and/or virtual site so
that these directories were no longer group readable. Or world readable in
case of the webspace.
There was not that much wrong with this. Because back on the RaQ550 users
could only relay email if their IP was in the allowed list of the Sendmail
access configuration. Or if they used POP-before-SMTP.
If someone tried to FTP to such a disabled account or site, FTP would refuse
to change into the diretcory as the user had no longer the rights to do so. If
a suspended user tried to login to POP3 or IMAP, the modified permissions
wouldn't let him in either.
POP-before-SMTP would register the generated failure message, too, and
wouldn't allow that user to send emails. All fine so far.
However: When SMTP-Auth was added, users could now send emails by
authenticating against the SMTP server with their username and password. Which
is a much more relieable and less hack'ish solution than POP-before-SMTP. So
for this a POP3 or IMAP login isn't needed prior to the start of the session.
BUT: As the user account had not been disabled on the system level user
authentication (PAM or Shadow on BlueQuartz or Shadow only on BlueOnyx),
suspended users (or users of suspended sites) can still login to SMTP-Auth
against Sendmail and can therefore send emails.
That defenitely should not be the case, because suspending users (or sites)
should prevent them from using any services that require authentication in
first place.
So this update modifies base-user and base-vsite. Whenever a user is
suspended, then that user will be disabled in the underlying system
authentication layer.
Likewise: If a site is suspended, all users of that site will be disabled in
the same fashion. This actively prevents disabled accounts from authenticating
against any service that require a valid username and password on the server.
/usr/sausalito/sbin/fix_user_suspension.pl
=================================
That new script was added with this patch. You can run it (as root!) at any
time, but you really only need it to run just once after the patch was
installed and IF you have sites or users that currently ARE suspended.
When it is run, the script goes through all sites and all users. It
synchronizes the suspension state of sites and users with the underlying
authentication mechanism. So if a site is marked as suspended in the GUI, then
the user accounts of all users of that site get "locked", preventing them from
loggin in. Likewise, if just a user has been suspended (but the site itself
has not), then only that user gets "locked".
CMU:
=====
The new "suspension" mechanism also carries over if you import sites or users
through CMU. So if you import a site with suspended users (of if the imported
site is suspended in general), then the new code will automatically already
"lock" those accounts on cmuImport. Hence then there will be no need to run
/usr/sausalito/sbin/fix_user_suspension.pl manually after a cmuImport. But it
doesn't hurt either if you do.
/usr/sausalito/sbin/fix_user_UID_and_GID.pl
===================================
This newly added script has nothing to do with this security fix. If run as
"root" it will go through all sites and users and will chown both the logfiles
of the site and all user directories to the correct UID and GID that they
should belong to. It will NOT change the UID or GID of the site's webspace (or
any files therein).
The primary purpose of this script is to fix up garbled UID's and GID's that
can sometimes happen if you import from a bad CMU dump.
--
With best regards
Michael Stauber
------------------------------
Message: 2
Date: Wed, 24 Jun 2009 13:16:20 +0200
From: Michael Stauber <mstauber at blueonyx.it>
Subject: [BlueOnyx:01475] Re: msi lcd drivers
To: Gerald Waugh <gwaugh at frontstreetnetworks.com>, BlueOnyx General
Mailing List <blueonyx at blueonyx.it>
Message-ID: <200906241316.20583.mstauber at blueonyx.it>
Content-Type: text/plain; charset="utf-8"
Hi Gerald,
> Try the RPMS at;
> http://fsn.raqware.com/MSI/
> install first; compat-libstdc++-296-2.96-132.7.2.i386.rpm
> then BQ-MSI-LCD-Drivers-1.0.6-SOL1.i386.rpm
>
> Seems like that should work, maybe Michael will address the issue
This reminds me that I wanted to do a BlueOnyx PKG for the LCD drivers, but
forgot about it.
Best would be to install compat-libstdc++ through YUM, because you then get
the CentOS5 version of that RPM.
The actual LCD RPM probably still works out of the box.
--
With best regards
Michael Stauber
------------------------------
Message: 3
Date: Wed, 24 Jun 2009 13:47:08 +0200
From: Maurice de Laat <mdlaat at muisnetwerken.nl>
Subject: [BlueOnyx:01476] Re: msi lcd drivers
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it>
Message-ID: <20090624114708.GD31929 at arie.muisnetwerken.nl>
Content-Type: text/plain; charset=us-ascii
Gerald, Michael,
On Wed, Jun 24, 2009 at 01:16:20PM +0200, Michael Stauber wrote:
> Best would be to install compat-libstdc++ through YUM, because you then get
> the CentOS5 version of that RPM.
A yum search finds two of them:
compat-libstdc++-296.i386 : Compatibility 2.96-RH standard C++ libraries
compat-libstdc++-33.i386 : Compatibility standard C++ libraries
Which one should I try? Thanks.
--
Maurice de Laat
------------------------------
Message: 4
Date: Wed, 24 Jun 2009 09:08:42 -0400
From: Robert Fitzpatrick <lists at webtent.net>
Subject: [BlueOnyx:01477] CMU and site administrators
To: BlueOnyx <blueonyx at blueonyx.it>
Message-ID: <1245848922.20088.8.camel at columbus.webtent.org>
Content-Type: text/plain
Having an issue getting site administrators to come over when using
cmuExport/Import 2.81. I see in the cmuImport man page to perhaps use
the -s switch, but not working. But I also see that switch in the man
page twice, also for session ID. Our workaround now is to remove site
admin status for all users before cmuExport. Has anyone had this
problem?
--
Robert
------------------------------
Message: 5
Date: Wed, 24 Jun 2009 15:48:59 +0200
From: "Tobias Gablunsky" <t.gablunsky at cbxnet.de>
Subject: [BlueOnyx:01478] Re: CMU and site administrators
To: <robert at webtent.com>, "BlueOnyx General Mailing List"
<blueonyx at blueonyx.it>
Message-ID:
<562E640DA047DC4E88DCAF26616F6E4601063ABC at exchange.combox.de>
Content-Type: text/plain; charset="us-ascii"
Yes, I have this problem as well.
BUT, I am using CMU 2.80 on a BlueQuartz for the import.
The export was done on an Cobalt RaQ4 with CMU 2.53.
..same "solution" as you
--
Tobias
>
> Having an issue getting site administrators to come over when using
> cmuExport/Import 2.81. I see in the cmuImport man page to perhaps use
> the -s switch, but not working. But I also see that switch in the man
> page twice, also for session ID. Our workaround now is to remove site
> admin status for all users before cmuExport. Has anyone had this
> problem?
>
> --
> Robert
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
>
------------------------------
Message: 6
Date: Wed, 24 Jun 2009 10:26:44 -0400
From: "T. K. Hughes" <tommykeegan at gmail.com>
Subject: [BlueOnyx:01479] Yum Support
To: <blueonyx at blueonyx.it>
Message-ID: <81EB5717E6AB43A98060DC331781F72C at roadrunner>
Content-Type: text/plain; charset="iso-8859-1"
My Blueonyx systems can not get yum to update.
I get error:
http://centos-distro.cavecreek.net/centos/5.3/extras/i386/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://centos.mirrors.redwire.net/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://ftp.osuosl.org/pub/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirror.clarkson.edu/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirror.nic.uoregon.edu/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.easynews.com//linux/centos/5.3/extras/i386/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.gigenet.com/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.kernel.org/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.versaweb.com/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://updates.interworx.info/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: extras.
Please verify its path and try again
http://centos-distro.cavecreek.net/centos/5.3/extras/i386/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://centos.mirrors.redwire.net/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://ftp.osuosl.org/pub/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirror.clarkson.edu/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirror.nic.uoregon.edu/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.easynews.com//linux/centos/5.3/extras/i386/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.gigenet.com/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.kernel.org/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://mirrors.versaweb.com/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
http://updates.interworx.info/centos/5.3/extras/i386/repodata/repomd.xml: [Errno 4]
IOError: <urlopen error (-3, 'Temporary failure in name resolution')>
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: extras.
Please verify its path and try again
How do I fix this?Thank You for your time,Tommy K. Hughes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.blueonyx.it/pipermail/blueonyx/attachments/20090624/e9534304/attachment.html
------------------------------
_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx
End of Blueonyx Digest, Vol 6, Issue 29
***************************************
More information about the Blueonyx
mailing list