diff --git a/CHANGELOG.md b/CHANGELOG.md index 51cc6f50..8239c210 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,19 @@ Installer: * We now run `apt-get autoremove` at the start of setup to clear out old packages, especially old kernels that take up a lot of space. On the first run, this step may take a long time. +v0.25 (November 15, 2017) +------------------------- + +This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10). + +Mail: + +* Update to Roundcube 1.3.3. + +Control Panel: + +* Fix DNS validation to allow wildcard custom DNS entries to be set. + v0.24 (October 3, 2017) ----------------------- diff --git a/README.md b/README.md index f8601cd4..29b208c2 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ by me: $ curl -s https://keybase.io/joshdata/key.asc | gpg --import gpg: key C10BDD81: public key "Joshua Tauberer " imported - $ git verify-tag v0.24 + $ git verify-tag v0.25 gpg: Signature made ..... using RSA key ID C10BDD81 gpg: Good signature from "Joshua Tauberer " gpg: WARNING: This key is not certified with a trusted signature! @@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r Checkout the tag corresponding to the most recent release: - $ git checkout v0.24 + $ git checkout v0.25 Begin the installation. diff --git a/management/dns_update.py b/management/dns_update.py index b5daef2d..52dbf38e 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -14,9 +14,9 @@ from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains # From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074 # This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot, -# as well as underscores which are allowed in domain names but not hostnames (i.e. allowed in +# underscores, as well as asteriks which are allowed in domain names but not hostnames (i.e. allowed in # DNS but not in URLs), which are common in certain record types like for DKIM. -DOMAIN_RE = "^(?!\-)(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d+)[a-zA-Z\d_]{1,63}(\.?)$" +DOMAIN_RE = "^(?!\-)(?:[*][.])?(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d+)[a-zA-Z\d_]{1,63}(\.?)$" def get_dns_domains(env): # Add all domain names in use by email users and mail aliases and ensure diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 13d17139..c3205ed1 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -7,7 +7,7 @@ ######################################################### if [ -z "$TAG" ]; then - TAG=v0.24 + TAG=v0.25 fi # Are we running as root? diff --git a/setup/webmail.sh b/setup/webmail.sh index 2a625366..ba745865 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -36,8 +36,8 @@ apt-get purge -qq -y roundcube* #NODOC # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. -VERSION=1.3.1 -HASH=d680f2914a0bff5314d8dda618d55937a13d1c5f +VERSION=1.3.3 +HASH=903a4eb1bfc25e9a08d782a7f98502cddfa579de PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=2.0.4