openSUSE Security Update: Security update for postfixadmin ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:0488-1 Rating: moderate References: #1024211 Cross-References: CVE-2017-5930 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: postfixadmin was updated to 3.0.2 to fix the following issues: - PostfixAdmin 3.0.2: - SECURITY: don't allow to delete protected aliases (CVE-2017-5930, boo#1024211) - fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with lots of mailboxes - allow switching between dovecot:* password schemes while still accepting passwords hashed using the previous dovecot:* scheme - FetchmailHandler: use a valid date as default for 'date' - fix date formatting in non-english languages when using PostgreSQL - various small fixes - PostfixAdmin 3.0: - add sqlite backend option - add configurable smtp helo (CONF["smtp_client"]) - new translation: ro (Romanian) - language update: tw, cs, de - fix escaping in gen_show_status() (could be used to DOS list-virtual by creating a mail address with special chars) - add CSRF protection for POST requests - list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item to avoid double escaping, and fix some corner cases - fix db_quota_text() for postgresql (concat() vs. ||) - change default date for 'created' and 'updated' columns from 0000-00-00 (which causes problems with MySQL strict mode) to 2000-01-01 - allow punicode even in TLDs - update Smarty to 3.1.29 - add checks to login.php and cli to ensure database layout is up to date - whitelist '-1' as valid value for postfixadmin-cli - don't stripslashes() the password in pacrypt - various small bugfixes Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-261=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-261=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (noarch): postfixadmin-3.0.2-3.1 - openSUSE Leap 42.1 (noarch): postfixadmin-3.0.2-5.1 References: https://www.suse.com/security/cve/CVE-2017-5930.html https://bugzilla.suse.com/1024211