Version 8.22 of all components of the Citadel system are now available. This is another maintenance release. Share and enjoy.
Version 8.20 of the award-winning Citadel groupware suite is now available. This is primarily a maintenance release; there are no new major components of the system.
Worth noting is that if you are building Citadel from source code, the text mode client is now a separate download. Easy Install will continue to deliver this component.
Lately we are noticing that many hobbyists are choosing to install the Citadel system on Raspberry Pi hardware, due to Citadel's unique combination of an extensive feature set and small memory/disk footprint. We would like to congratulate these clever hobbyists and continue to support Citadel on all versions of the Linux operating system.
This week on FLOSS Weekly, Randall Schwartz and Simon Phipps chat with Art Cancro, lead developer of the Citadel system, and chat about Citadel's history as a BBS platform and the modern groupware platform it offers today. Check it out!
Citadel is now the best groupware and content management system. Version 8.02 brings not only an easily installed, fully integrated collaboration platform, but also content management features such as blog and wiki support. You can also configure your system to allow visitors to browse the public portions of the site in “guest” mode, so if you are running blogs, wikis, or forums intended for general consumption by the Internet public, site visitors can browse those rooms without having to first create an account. This also means that your site can optionally be spidered by the big search engines, bringing more visitors and activity to your Citadel installation.
Citadel 8 also brings full support for IPv6, allowing you to integrate it with modern network configurations.
We don't announce every single new release, but this one is worth mentioning: the Citadel team is proud to unveil version 7.84 of our entire software stack.
New features include:
* A greatly improved XMPP (Jabber) service, for better compatibility with more instant messenger clients.
* A completely new bulletin board (forum) view, also greatly improved in both performance and features.
* A brand new multiuser chat facility, redesigned for better access through a web browser
* Many bug fixes and performance enhancements.
“Share and Enjoy” !
There are some exciting features that have been completed in Citadel 7.60, and we thought you might be interested in knowing about two of them.
The first new feature is a big change to how Citadel uses LDAP. You might know that prior to Citadel 7.50, we had the ability to populate an external LDAP address book with the contents of Citadel's global address book. As it turned out, this was not very useful. It was deprecated in 7.50 and has been removed in 7.60. We were fairly certain that nobody was using this feature, and the fact that no one has complained about its deprecation seems to confirm this.
Instead, Citadel 7.60 has the ability to authenticate against an external LDAP directory, which seems to be what most people wanted in the first place. We've supported authentication via the host system for a long time, and in practice most sites seem to combine this with pam_ldap and nss_ldap to allow Citadel to participate in “single sign on” at organizations which use LDAP. So why not make it easy? Citadel 7.60 speaks directly to your LDAP server, and the configuration consists of entering a few simple configuration items instead of all that tedious mucking about in the /etc directory. We support both the industry-standard LDAP schema (RFC 2307) and the most commonly deployed nonstandard schema (Microsoft Active Directory).
The other big new feature we've completed is a complete rewrite of the import/export module. The old way was usable but fairly clumsy. In Citadel 7.60, the database dump format is XML based, and the import/export operations run much faster. And beginning now, we are making the dump format upward compatible, so the target system can be running a newer version of Citadel than the source system. You will not have to upgrade the source system in order to migrate it.
To make this even more useful, we've written an “over the wire” migration utility. When you want to migrate Citadel to a new host system, even one with a different CPU architecture, you just run the migrate utility on the target host, and point it at the source host. The migrate utility will do all of the work for you automatically, producing a perfect clone of your Citadel installation. OpenSSH and rsync are used to copy the parts of your Citadel data that are not stored in the database, such as user profiles (bios), photos and other images, etc. This utility will do for migrations what Easy Install did for installations.
These features were frequently requested, and we are happy to announce that they are now available.
We are pleased to announce version 7.50 of the Citadel system, now available via http://www.citadel.org as source code, Easy Install, and packages for selected Linux distributions.
This is a *big* update. New features:
- Recurring events are now supported across the entire calendar system, as well as all-day events which span multiple days.
- The entire WebCit framework is now templatized, allowing customization for individual sites without modifying the program code.
- Message renderers have been updated to handle a number of new features, such as unlimited nesting and inline images.
- Message composition has been updated to handle improved character set conversion, preferred email address and display name persistent in per-user preferences, and unlimited email signature size.
- Integrated support for virus scanning with ClamAV. You will no longer have to run ClamAV via SpamAssassin (although that mode still works).
- Integrated support for SpamAssassin has been expanded to include a site-definable choice of tagging or rejecting spam.
- Improved interoperability with vCards generated by third-party address book software.
- All of the fonts in WebCit are now relative sized, making the whole site look better on screens of all sizes.
- Hundreds of performance improvements, user interface enhancements, and bug fixes.
WebCit is a middleware application which provides a web based user interface for the Citadel groupware system. More information may be found at the project's site at the following URL:
II. DESCRIPTION AND ANALYSIS
WebCit uses a weak encoding for remote provided data to build up a local string. Exploitation of a format string vulnerability could allow a remote attacker to perform an unauthorized privilege escalation.
Citadel.org has confirmed the existence of this vulnerability in version 7.22 of WebCit. Other components of the Citadel system are not affected.
If you are unable to upgrade your system to a non-vulnerable version of WebCit at this time, you may also choose to block access to the following URL's using your site's existing edge security tools:
This will prohibit remote exploit of this vulnerability, at the expense of reduced functionality of the program.
V. VENDOR RESPONSE
Citadel.org has confirmed that this vulnerability has been fixed.
If you are using source code downloads, please upgrade to version 7.39 (or later).
If you are using the Easy Install system or the VMware appliance, please run a normal update in order to receive the patch.
If you are using Debian or Ubuntu packages, please upgrade to version 7.38-37 (or later).
Please be advised that you may also be required to upgrade the Citadel server in order to maintain compatibility with a new version of WebCit.
VI. DISCLOSURE TIMELINE
2009-02-13 - discovery of vulnerability
2009-02-13 - fix implemented
2009-03-23 - coordinated public disclosure
This vulnerability was discovered internally by Wilfried Goesgens firstname.lastname@example.org and patched prior to disclosure.
VIII. LEGAL NOTICES
Copyright © Citadel.org
Permission is granted for unlimited redistribution of this alert. The information in this advisory is believed to be accurate at the time of publishing based on currently available information, and is provided “as is” with no warranties as to its accuracy or applicability. The publisher does not accept liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
There hasn't been a lot of Citadel news lately, but that doesn't mean that there isn't anything going on. We've been working “heads down” for the last few months to bring a major new release of the Citadel system. Some of the exciting new features currently in development are:
- Recurring calendar events
- WebCit fully templatized for easy customizability
- Direct support for ClamAV (no more running ClamAV from within SpamAssassin) – as well as the ability to tag spam instead of rejecting it
And that's just the short-term roadmap. We have some really exciting new features planned for 2009 after this next release is completed.
A vulnerability involving predictable random numbers has been discovered in the OpenSSL packages included with Debian Etch and Ubuntu systems. This vulnerability affects all software which makes use of SSL/TLS encrypted connections, including Citadel.
Please see http://lists.debian.org/debian-security-announce/2008/msg00152.html for more detailed information.
In order to patch the OpenSSL vulnerability, issue this command:
apt-get update; apt-get upgrade
Afterwards, you should regenerate your private keys in SSL/TLS enabled applications, such as Citadel. The procedure for doing so on a Citadel installation using the Debian package is:
rm -f /etc/ssl/citadel/*
For an Easy Install system, it is:
rm -f /usr/local/citadel/keys/*
Then restart Citadel to make it generate new keys. If you are making use of certificates signed by a certificate authority, you will need to submit a new CSR to them for re-signing.
Naturally, if you are also running OpenSSH on your server, you will need to regenerate keys for that as well.