From d7d8bda0a40e82c3e11c4447b5113964a9bd9673 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Fri, 25 Mar 2016 13:37:55 +0100 Subject: [PATCH 01/15] Instructions on how to create a web site for a domain weren't rendered. Users would miss the step about manually creating the directory to put files in there and wouldn't see anything happen --- management/templates/web.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/templates/web.html b/management/templates/web.html index 6f594eeb..6a09ef0e 100644 --- a/management/templates/web.html +++ b/management/templates/web.html @@ -82,7 +82,7 @@ function show_change_web_root(elem) { var root = $(elem).parents('tr').attr('data-custom-web-root'); show_modal_confirm( 'Change Root Directory for ' + domain, - $('

You can change the static directory for ' + domain + ' to:

' + root + '

First create this directory on the server. Then click Update to scan for the directory and update web settings.'), + $('

You can change the static directory for ' + domain + ' to:

' + root + '

First create this directory on the server. Then click Update to scan for the directory and update web settings.

'), 'Update', function() { do_web_update(); }); } From f6e0af124f60ce46f49a2343344d970417dd7e32 Mon Sep 17 00:00:00 2001 From: david Date: Fri, 25 Mar 2016 20:16:51 +0100 Subject: [PATCH 02/15] updated html5_notifier version to 0.6.2 in setup --- setup/webmail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 58faad58..053dbacc 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -38,7 +38,7 @@ VERSION=1.1.4 HASH=4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3 VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5 PERSISTENT_LOGIN_VERSION=1e9d724476a370ce917a2fcd5b3217b0c306c24e -HTML5_NOTIFIER_VERSION=046eb388dd63b1ec77a3ee485757fc25ae9e684d +HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:a needs_update=0 #NODOC if [ ! -f /usr/local/lib/roundcubemail/version ]; then From 454a2b167bfca0c07363632cf2b2270057bd9fec Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 26 Mar 2016 09:04:51 +0100 Subject: [PATCH 03/15] Stop fail2ban recidive from sending emails, like all other jails --- conf/fail2ban/jail.local | 1 + 1 file changed, 1 insertion(+) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index b9340e52..d2a12f33 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -27,3 +27,4 @@ maxretry = 20 [recidive] enabled = true maxretry = 10 +action = iptables-allports[name=recidive] From 4d7229ccb01a506b89e240479b244a6b3faa50c6 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 26 Mar 2016 13:37:33 +0100 Subject: [PATCH 04/15] Add documentation on why the notification was removed from the recidive jail --- conf/fail2ban/jail.local | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index d2a12f33..cc741c80 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -28,3 +28,13 @@ maxretry = 20 enabled = true maxretry = 10 action = iptables-allports[name=recidive] +# In the recidive section of jail.conf the action contains: +# +# action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +# +# The last line on the action will sent an email to the configured address. This mail will +# notify the administrator that someone has been repeatedly triggering one of the other jails. +# By default we don't configure this address and no action is required from the admin anyway. +# So the notification is ommited. This will prevent message appearing in the mail.log that mail +# can't be delivered to fail2ban@$HOSTNAME. From f292e8fc5bac5fd1a3e1158c2a34d81ebb650801 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 26 Mar 2016 14:06:43 +0100 Subject: [PATCH 05/15] Add generic login failed message --- management/daemon.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/management/daemon.py b/management/daemon.py index 690f8b0f..5400925f 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -43,7 +43,7 @@ def authorized_personnel_only(viewfunc): except ValueError as e: # Authentication failed. privs = [] - error = str(e) + error = "Incorrect username or password" # Authorized to access an API view? if "admin" in privs: @@ -119,7 +119,7 @@ def me(): except ValueError as e: return json_response({ "status": "invalid", - "reason": str(e), + "reason": "Incorrect username or password", }) resp = { From c5e8a975cd90ecab3481cf6cf5bfa94243b15da5 Mon Sep 17 00:00:00 2001 From: Tibor Blaho Date: Thu, 31 Mar 2016 00:07:48 +0200 Subject: [PATCH 06/15] Fix denied ownCloud nginx locations --- conf/nginx-primaryonly.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 8fd546af..55c80eba 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -18,8 +18,11 @@ rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; location /cloud/ { alias /usr/local/lib/owncloud/; - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; + location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { + deny all; + } + location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; } } location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { From eb8cfaab756ba7593378b8195904288182ea2d64 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 31 Mar 2016 10:20:13 -0400 Subject: [PATCH 07/15] changelog entry for html5_notifier bump --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8c91d77..2f6a4e3f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ In Development Mail: * Fixed a long-standing issue with training the spam filter not working (because of a file permissions issue). +* Update the Roundcube html5_notifier plugin from version 0.6 to 0.6.2 to fix Roundcube getting stuck for some people. Control panel: From 7fa9baf308565b3dc90acb29c4325cd78042c8fd Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 23 Mar 2016 16:51:01 -0400 Subject: [PATCH 08/15] hotfix merge #744 - Fix for putty Line Drawing issues --- CHANGELOG.md | 7 +++++++ setup/start.sh | 3 +++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c99020b..cc31fd74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ CHANGELOG ========= +In Development +-------------- + +Setup: + +* Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows. + v0.17b (March 1, 2016) ---------------------- diff --git a/setup/start.sh b/setup/start.sh index ab6d3055..cbcb9329 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -23,6 +23,9 @@ export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_TYPE=en_US.UTF-8 +# Fix so line drawing characters are shown correctly in Putty on Windows. See #744. +export NCURSES_NO_UTF8_ACS=1 + # Recall the last settings used if we're running this a second time. if [ -f /etc/mailinabox.conf ]; then # Run any system migrations before proceeding. Since this is a second run, From aa1fdaddaf83e05a2d03ceb7dea5df1be80b9fae Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 23 Mar 2016 16:53:48 -0400 Subject: [PATCH 09/15] hotfix merge #755 - Prevent click jacking of the management interface --- CHANGELOG.md | 4 ++++ conf/nginx-primaryonly.conf | 3 +++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc31fd74..cf5578d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ CHANGELOG In Development -------------- +Control panel: + +* Prevent click-jacking of the management interface by adding HTTP headers. + Setup: * Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows. diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 2fb9972e..8fd546af 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -6,6 +6,9 @@ location /admin/ { proxy_pass http://127.0.0.1:10222/; proxy_set_header X-Forwarded-For $remote_addr; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "frame-ancestors 'none';"; } # ownCloud configuration. From b3223136f443a0330b5da48d0d06da62af728720 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 23 Mar 2016 17:31:24 -0400 Subject: [PATCH 10/15] hotfix - install roundcube from our own mirror, hosted in Josh's AWS S3 account, because sourceforge is down all the time fixes #750, see #701, see #370 was df92a10ebab66ee0511c2fbe604c623055c83326 --- CHANGELOG.md | 1 + setup/webmail.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf5578d0..b20c863d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Control panel: Setup: * Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows. +* We now install Roundcube from our own mirror because Sourceforge's downloads experience frequent intermittant unavailability. v0.17b (March 1, 2016) ---------------------- diff --git a/setup/webmail.sh b/setup/webmail.sh index 2bef9f98..58faad58 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -51,7 +51,7 @@ fi if [ $needs_update == 1 ]; then # install roundcube wget_verify \ - https://downloads.sourceforge.net/project/roundcubemail/roundcubemail/$VERSION/roundcubemail-$VERSION.tar.gz \ + https://s3.amazonaws.com/joshdata/mail-in-a-box/public/roundcubemail-$VERSION.tar.gz \ $HASH \ /tmp/roundcube.tgz tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz From 703e6795e81b6d927d4565a6beac62d4dfd1c350 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 26 Mar 2016 07:42:18 -0400 Subject: [PATCH 11/15] hotfix merge #769 - update the Roundcube html5_notifier plugin from version 0.6 to 0.6.2 fixes Roundcube getting stuck for some people, hopefully fixes #693 --- CHANGELOG.md | 4 ++++ setup/webmail.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b20c863d..6469817e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ CHANGELOG In Development -------------- +Mail: + +* Roundcube html5_notifier plugin updated from version 0.6 to 0.6.2 to fix Roundcube getting stuck for some people. + Control panel: * Prevent click-jacking of the management interface by adding HTTP headers. diff --git a/setup/webmail.sh b/setup/webmail.sh index 58faad58..053dbacc 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -38,7 +38,7 @@ VERSION=1.1.4 HASH=4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3 VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5 PERSISTENT_LOGIN_VERSION=1e9d724476a370ce917a2fcd5b3217b0c306c24e -HTML5_NOTIFIER_VERSION=046eb388dd63b1ec77a3ee485757fc25ae9e684d +HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:a needs_update=0 #NODOC if [ ! -f /usr/local/lib/roundcubemail/version ]; then From 3843f63416b3f185f1505a16c4798b30148e40b2 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 26 Mar 2016 09:22:02 -0400 Subject: [PATCH 12/15] hotfix merge #772 - yodax/generic-login-message Make control panel login failed messages generic - don't reveal if an email address has an account on the system. --- CHANGELOG.md | 1 + management/daemon.py | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6469817e..661ca739 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Mail: Control panel: * Prevent click-jacking of the management interface by adding HTTP headers. +* Failed login no longer reveals whether an account exists on the system. Setup: diff --git a/management/daemon.py b/management/daemon.py index 6de0a59a..04c68a0e 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -49,7 +49,7 @@ def authorized_personnel_only(viewfunc): except ValueError as e: # Authentication failed. privs = [] - error = str(e) + error = "Incorrect username or password" # Authorized to access an API view? if "admin" in privs: @@ -125,7 +125,7 @@ def me(): except ValueError as e: return json_response({ "status": "invalid", - "reason": str(e), + "reason": "Incorrect username or password", }) resp = { From e65c77588e45378e8b85e55d35e3653aa1c41ec9 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 31 Mar 2016 10:20:21 -0400 Subject: [PATCH 13/15] hotfix merge #776 - some owncloud paths were improperly exposed over http --- conf/nginx-primaryonly.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 8fd546af..55c80eba 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -18,8 +18,11 @@ rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; location /cloud/ { alias /usr/local/lib/owncloud/; - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; + location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { + deny all; + } + location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; } } location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { From 86881c0107d574d94392666418a762014d071b62 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 31 Mar 2016 10:46:06 -0400 Subject: [PATCH 14/15] v0.17c --- CHANGELOG.md | 10 ++++++++-- README.md | 4 ++-- setup/bootstrap.sh | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 661ca739..bc577bd2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,14 @@ CHANGELOG ========= -In Development --------------- +v0.17c (April 1, 2016) +---------------------- + +This update addresses some minor security concerns and some installation issues. + +ownCoud: + +* Block web access to the configuration parameters (config.php). There is no immediate impact (see [#776](https://github.com/mail-in-a-box/mailinabox/pull/776)), although advanced users may want to take note. Mail: diff --git a/README.md b/README.md index d8329054..a12e48bb 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ by me: $ curl -s https://keybase.io/joshdata/key.asc | gpg --import gpg: key C10BDD81: public key "Joshua Tauberer " imported - $ git verify-tag v0.17b + $ git verify-tag v0.17c gpg: Signature made ..... using RSA key ID C10BDD81 gpg: Good signature from "Joshua Tauberer " gpg: WARNING: This key is not certified with a trusted signature! @@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r Checkout the tag corresponding to the most recent release: - $ git checkout v0.17b + $ git checkout v0.17c Begin the installation. diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 6ff21c50..3e793576 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -7,7 +7,7 @@ ######################################################### if [ -z "$TAG" ]; then - TAG=v0.17b + TAG=v0.17c fi # Are we running as root? From 703a963ae55a742942f1014931c704ca1fbf438a Mon Sep 17 00:00:00 2001 From: msgerbs Date: Tue, 5 Apr 2016 00:54:26 -0500 Subject: [PATCH 15/15] Add SRV record to the Custom DNS page Add SRV to the drop-down to add a custom DNS zone. I made this change on my up-to-date install and it worked without any issues. --- management/templates/custom-dns.html | 1 + 1 file changed, 1 insertion(+) diff --git a/management/templates/custom-dns.html b/management/templates/custom-dns.html index f1244810..bd5643c3 100644 --- a/management/templates/custom-dns.html +++ b/management/templates/custom-dns.html @@ -36,6 +36,7 @@ +