merge v0.25 security release

2017-11-15 11:27:30 -05:00 · 2017-11-15 11:27:30 -05:00 · 5f14eca67f
parent f080eabb3a 8944cd7980
commit 5f14eca67f
5 changed files with 20 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -17,6 +17,19 @@ Installer:
 * We now run `apt-get autoremove` at the start of setup to clear out old packages, especially old kernels that take up a lot of space. On the first run, this step may take a long time.
 v0.25 (November 15, 2017)
 -------------------------
 This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10).
 Mail:
 * Update to Roundcube 1.3.3.
 Control Panel:
 * Fix DNS validation to allow wildcard custom DNS entries to be set.
 v0.24 (October 3, 2017)
 -----------------------
--- a/README.md
+++ b/README.md
@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
-	$ git verify-tag v0.24
+	$ git verify-tag v0.25
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 Checkout the tag corresponding to the most recent release:
-	$ git checkout v0.24
+	$ git checkout v0.25
 Begin the installation.
--- a/management/dns_update.py
+++ b/management/dns_update.py
@ -14,9 +14,9 @@ from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
 # From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
 # This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot,
-# as well as underscores which are allowed in domain names but not hostnames (i.e. allowed in
+# underscores, as well as asteriks which are allowed in domain names but not hostnames (i.e. allowed in
 # DNS but not in URLs), which are common in certain record types like for DKIM.
-DOMAIN_RE = "^(?!\-)(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d+)[a-zA-Z\d_]{1,63}(\.?)$"
+DOMAIN_RE = "^(?!\-)(?:[*][.])?(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d+)[a-zA-Z\d_]{1,63}(\.?)$"
 def get_dns_domains(env):
 	# Add all domain names in use by email users and mail aliases and ensure
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@ -7,7 +7,7 @@
 #########################################################
 if [ -z "$TAG" ]; then
-	TAG=v0.24
+	TAG=v0.25
 fi
 # Are we running as root?
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -36,8 +36,8 @@ apt-get purge -qq -y roundcube* #NODOC
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
 # whether we have the latest version of everything.
-VERSION=1.3.1
+VERSION=1.3.3
-HASH=d680f2914a0bff5314d8dda618d55937a13d1c5f
+HASH=903a4eb1bfc25e9a08d782a7f98502cddfa579de
 PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
 CARDDAV_VERSION=2.0.4