Mailinglist Archive: opensuse-updates (121 mails)

< Previous Next >
openSUSE-SU-2017:0488-1: moderate: Security update for postfixadmin
openSUSE Security Update: Security update for postfixadmin
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:0488-1
Rating: moderate
References: #1024211
Cross-References: CVE-2017-5930
Affected Products:
openSUSE Leap 42.2
openSUSE Leap 42.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:


postfixadmin was updated to 3.0.2 to fix the following issues:

- PostfixAdmin 3.0.2:
- SECURITY: don't allow to delete protected aliases (CVE-2017-5930,
boo#1024211)
- fix VacationHandler for PostgreSQL
- AliasHandler: restrict mailbox subquery to allowed and specified
domains to improve performance on setups with lots of mailboxes
- allow switching between dovecot:* password schemes while still
accepting passwords hashed using the previous dovecot:* scheme
- FetchmailHandler: use a valid date as default for 'date'
- fix date formatting in non-english languages when using PostgreSQL
- various small fixes

- PostfixAdmin 3.0:
- add sqlite backend option
- add configurable smtp helo (CONF["smtp_client"])
- new translation: ro (Romanian)
- language update: tw, cs, de
- fix escaping in gen_show_status() (could be used to DOS list-virtual
by creating a mail address with special chars)
- add CSRF protection for POST requests
- list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item
to avoid double escaping, and fix some corner cases
- fix db_quota_text() for postgresql (concat() vs. ||)
- change default date for 'created' and 'updated' columns from
0000-00-00 (which causes problems with MySQL strict mode) to 2000-01-01
- allow punicode even in TLDs
- update Smarty to 3.1.29
- add checks to login.php and cli to ensure database layout is up to date
- whitelist '-1' as valid value for postfixadmin-cli
- don't stripslashes() the password in pacrypt
- various small bugfixes


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-261=1

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2017-261=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.2 (noarch):

postfixadmin-3.0.2-3.1

- openSUSE Leap 42.1 (noarch):

postfixadmin-3.0.2-5.1


References:

https://www.suse.com/security/cve/CVE-2017-5930.html
https://bugzilla.suse.com/1024211


< Previous Next >
This Thread
  • No further messages