Someone recently asked why Citadel “hadn't been updated in over a year.” Actually it has; we simply don't announce every point release. There's always something interesting going on!
This week on FLOSS Weekly, Randall Schwartz and Simon Phipps chat with Art Cancro, lead developer of the Citadel system, and chat about Citadel's history as a BBS platform and the modern groupware platform it offers today. Check it out!
There are two important data management changes starting with Citadel 7.60.
The first one is a big change to how Citadel uses LDAP. You might know that prior to Citadel 7.50, we had the ability to populate an external LDAP address book with the contents of Citadel's global address book. As it turned out, this was not very useful. It was deprecated in 7.50 and has been removed in 7.60. We were fairly certain that nobody was using this feature, and the fact that no one has complained about its deprecation seems to confirm this.
Instead, Citadel 7.60 has the ability to authenticate against an external LDAP directory, which seems to be what most people wanted in the first place. We've supported authentication via the host system for a long time, and in practice most sites seem to combine this with pam_ldap and nss_ldap to allow Citadel to participate in “single sign on” at organizations which use LDAP. So why not make it easy? Citadel 7.60 speaks directly to your LDAP server, and the configuration consists of entering a few simple configuration items instead of all that tedious mucking about in the /etc directory. We support both the industry-standard LDAP schema (RFC 2307) and the most commonly deployed nonstandard schema (Microsoft Active Directory).
The other big change is a complete rewrite of the import/export module. The old way was usable but fairly clumsy. In Citadel 7.60, the database dump format is XML based, and the import/export operations run much faster. And beginning now, we are making the dump format upward compatible, so the target system can be running a newer version of Citadel than the source system. You will not have to upgrade the source system in order to migrate it.
To make this even more useful, we've written an “over the wire” migration utility. When you want to migrate Citadel to a new host system, even one with a different CPU architecture, you just run the migrate utility on the target host, and point it at the source host. The migrate utility will do all of the work for you automatically, producing a perfect clone of your Citadel installation. OpenSSH and rsync are used to copy the parts of your Citadel data that are not stored in the database, such as user profiles (bios), photos and other images, etc. This utility will do for migrations what Easy Install did for installations.
These changes were frequently requested, and we are happy to announce that they are now available.
WebCit is a middleware application which provides a web based user interface for the Citadel groupware system. More information may be found at the project's site at the following URL:
II. DESCRIPTION AND ANALYSIS
WebCit uses a weak encoding for remote provided data to build up a local string. Exploitation of a format string vulnerability could allow a remote attacker to perform an unauthorized privilege escalation.
Citadel.org has confirmed the existence of this vulnerability in version 7.22 of WebCit. Other components of the Citadel system are not affected.
If you are unable to upgrade your system to a non-vulnerable version of WebCit at this time, you may also choose to block access to the following URL's using your site's existing edge security tools:
This will prohibit remote exploit of this vulnerability, at the expense of reduced functionality of the program.
V. VENDOR RESPONSE
Citadel.org has confirmed that this vulnerability has been fixed.
If you are using source code downloads, please upgrade to version 7.39 (or later).
If you are using the Easy Install system or the VMware appliance, please run a normal update in order to receive the patch.
If you are using Debian or Ubuntu packages, please upgrade to version 7.38-37 (or later).
Please be advised that you may also be required to upgrade the Citadel server in order to maintain compatibility with a new version of WebCit.
VI. DISCLOSURE TIMELINE
2009-02-13 - discovery of vulnerability
2009-02-13 - fix implemented
2009-03-23 - coordinated public disclosure
This vulnerability was discovered internally by Wilfried Goesgens firstname.lastname@example.org and patched prior to disclosure.
VIII. LEGAL NOTICES
Copyright © Citadel.org
Permission is granted for unlimited redistribution of this alert. The information in this advisory is believed to be accurate at the time of publishing based on currently available information, and is provided “as is” with no warranties as to its accuracy or applicability. The publisher does not accept liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
A vulnerability involving predictable random numbers has been discovered in the OpenSSL packages included with Debian Etch and Ubuntu systems. This vulnerability affects all software which makes use of SSL/TLS encrypted connections, including Citadel.
Please see http://lists.debian.org/debian-security-announce/2008/msg00152.html for more detailed information.
In order to patch the OpenSSL vulnerability, issue this command:
apt-get update; apt-get upgrade
Afterwards, you should regenerate your private keys in SSL/TLS enabled applications, such as Citadel. The procedure for doing so on a Citadel installation using the Debian package is:
rm -f /etc/ssl/citadel/*
For an Easy Install system, it is:
rm -f /usr/local/citadel/keys/*
Then restart Citadel to make it generate new keys. If you are making use of certificates signed by a certificate authority, you will need to submit a new CSR to them for re-signing.
Naturally, if you are also running OpenSSH on your server, you will need to regenerate keys for that as well.
Carla Schroder of Enterprise Networking Planet has written a nice two-part review of the Citadel system. In this review she praises Citadel's intuitive user-focused user interface and its easy system administration, going as far as to declare it her favorite groupware and messaging server.
Read both parts of the article here:
Thanks for the kind words, Carla!
We are pleased to announce that Outlook Connector product is now available that allows Microsoft Outlook to seamlessly and effortlessly access many of Citadel's groupware and collaboration functions, including not only email but also server-side calendars and address books, tasks, notes, and more.
This product has been built by Bynari, Inc. with a large amount of collaboration and input from the Citadel project and other groupware projects. All data is stored on the server in open standard formats.
We hope that this new development eliminates the perceived need for Microsoft Exchange in many organizations and will allow them to migrate to Citadel.
Just after 9/11/01, some of the 11,000 FCC licensed volunteer Amateur Radio operators in Minnesota decided they could build a radio based data network covering the region. This network would provide a reliable “last ditch” email and data capability in the event of an emergency that disabled or overloaded normal communications channels. They passed the hat and collected enough funds and donated equipment to complete the first phase of the network using AX.25 packet radio technology, which has been running to commercial reliability standards since 2002.
Citadel was chosen as the email and conferencing system for this network, due to its compact size and versatile client options – including its text-mode client, which turned out to be perfect for 100 Kbps packet radio connections.
The developers of the Citadel messaging and collaboration system are pleased to announce that we are now releasing all of our software under version 3 of the GNU General Public License.
There has been an intentional effort by a particular producer of non-free software to subvert, erode, circumvent, and otherwise undermine the spirit of free software. In the light of recent events, it has become clear to us that GPLv3 will provide stronger protection from patent problems and license circumvention.
Citadel remains the only messaging and collaboration system offering end-to-end GPL across the entire code base, and we continue to lead in this area by being the first to adopt GPLv3. Furthermore, when compared with other systems in its category, Citadel remains the only one that is comprised of end-to-end free software at all. Others offer a feature-limited free version but require a paid license in order to use the “enterprise” or “network” edition. Citadel has no such limitation; we make our very best work available to everyone on the same terms.
|Check the download site for the latest releases||%2014/%12/%15 %16:%Dec||Art Cancro|
|FLOSS Weekly talks Citadel||%2012/%05/%04 %12:%May||Art Cancro|
|Data management changes in Citadel 7||%2009/%05/%03 %00:%May||Art Cancro|
|Citadel.org security advisory - 2009-march-23||%2009/%03/%23 %12:%Mar||Art Cancro|
|OpenSSL vulnerability in Debian Etch and Ubuntu||%2008/%05/%13 %10:%May||Art Cancro|
|Citadel reviewed by Enterprise Networking Planet||%2008/%04/%21 %16:%Apr||Art Cancro|
|Microsoft Outlook is now supported!||%2008/%03/%16 %23:%Mar||Art Cancro|
|Citadel adopted by packet radio network||%2007/%11/%28 %16:%Nov||Art Cancro|
|Citadel adopts GPLv3||%2007/%07/%30 %17:%Jul||Art Cancro|
|GroupDAV: Standardizing Groupware||%2007/%07/%02 %17:%Jul|
|Access your Citadel calendar and contacts from Thunderbird||%2007/%07/%02 %16:%Jul|
|Calendar library update for 2007 DST changes||%2007/%02/%27 %18:%Feb||Art Cancro|
|Citadel featured in Linux Journal||%2007/%02/%08 %09:%Feb||Art Cancro|