diff --git a/CHANGELOG.md b/CHANGELOG.md index f8c91d77..b997d16b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,27 @@ Control panel: Setup: * A swap file is now created if system memory is less than 2GB, 5GB of free disk space is available, and if no swap file yet exists. + +v0.17c (April 1, 2016) +---------------------- + +This update addresses some minor security concerns and some installation issues. + +ownCoud: + +* Block web access to the configuration parameters (config.php). There is no immediate impact (see [#776](https://github.com/mail-in-a-box/mailinabox/pull/776)), although advanced users may want to take note. + +Mail: + +* Roundcube html5_notifier plugin updated from version 0.6 to 0.6.2 to fix Roundcube getting stuck for some people. + +Control panel: + +* Prevent click-jacking of the management interface by adding HTTP headers. +* Failed login no longer reveals whether an account exists on the system. + +Setup: + * Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows. * We now install Roundcube from our own mirror because Sourceforge's downloads experience frequent intermittant unavailability. diff --git a/README.md b/README.md index d8329054..a12e48bb 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ by me: $ curl -s https://keybase.io/joshdata/key.asc | gpg --import gpg: key C10BDD81: public key "Joshua Tauberer " imported - $ git verify-tag v0.17b + $ git verify-tag v0.17c gpg: Signature made ..... using RSA key ID C10BDD81 gpg: Good signature from "Joshua Tauberer " gpg: WARNING: This key is not certified with a trusted signature! @@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r Checkout the tag corresponding to the most recent release: - $ git checkout v0.17b + $ git checkout v0.17c Begin the installation. diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index b9340e52..cc741c80 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -27,3 +27,14 @@ maxretry = 20 [recidive] enabled = true maxretry = 10 +action = iptables-allports[name=recidive] +# In the recidive section of jail.conf the action contains: +# +# action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +# +# The last line on the action will sent an email to the configured address. This mail will +# notify the administrator that someone has been repeatedly triggering one of the other jails. +# By default we don't configure this address and no action is required from the admin anyway. +# So the notification is ommited. This will prevent message appearing in the mail.log that mail +# can't be delivered to fail2ban@$HOSTNAME. diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 8fd546af..55c80eba 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -18,8 +18,11 @@ rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; location /cloud/ { alias /usr/local/lib/owncloud/; - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; + location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { + deny all; + } + location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; } } location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { diff --git a/management/daemon.py b/management/daemon.py index 690f8b0f..5400925f 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -43,7 +43,7 @@ def authorized_personnel_only(viewfunc): except ValueError as e: # Authentication failed. privs = [] - error = str(e) + error = "Incorrect username or password" # Authorized to access an API view? if "admin" in privs: @@ -119,7 +119,7 @@ def me(): except ValueError as e: return json_response({ "status": "invalid", - "reason": str(e), + "reason": "Incorrect username or password", }) resp = { diff --git a/management/templates/custom-dns.html b/management/templates/custom-dns.html index f1244810..bd5643c3 100644 --- a/management/templates/custom-dns.html +++ b/management/templates/custom-dns.html @@ -36,6 +36,7 @@ + diff --git a/management/templates/web.html b/management/templates/web.html index 6f594eeb..6a09ef0e 100644 --- a/management/templates/web.html +++ b/management/templates/web.html @@ -82,7 +82,7 @@ function show_change_web_root(elem) { var root = $(elem).parents('tr').attr('data-custom-web-root'); show_modal_confirm( 'Change Root Directory for ' + domain, - $('

You can change the static directory for ' + domain + ' to:

' + root + '

First create this directory on the server. Then click Update to scan for the directory and update web settings.'), + $('

You can change the static directory for ' + domain + ' to:

' + root + '

First create this directory on the server. Then click Update to scan for the directory and update web settings.

'), 'Update', function() { do_web_update(); }); } diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 6ff21c50..3e793576 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -7,7 +7,7 @@ ######################################################### if [ -z "$TAG" ]; then - TAG=v0.17b + TAG=v0.17c fi # Are we running as root? diff --git a/setup/webmail.sh b/setup/webmail.sh index 58faad58..053dbacc 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -38,7 +38,7 @@ VERSION=1.1.4 HASH=4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3 VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5 PERSISTENT_LOGIN_VERSION=1e9d724476a370ce917a2fcd5b3217b0c306c24e -HTML5_NOTIFIER_VERSION=046eb388dd63b1ec77a3ee485757fc25ae9e684d +HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:a needs_update=0 #NODOC if [ ! -f /usr/local/lib/roundcubemail/version ]; then