Dear all,
We released a new iRedAdmin (both open source edition and iRedAdmin-Pro) release to address a critical security issue on FreeBSD and OpenBSD system, please upgrade it immediately.
Note: iRedMail-0.9.5-1 was repacked with new iRedAdmin release (0.6.2) which contains this fix today.
#########
# The Issue
#
iRedAdmin calls an incorrect function to verify BCRYPT password hash while admin trying to login, if the admin account exists, iRedAdmin accepts any string and the admin logs in.
############################
# Affected Linux/BSD distributions
#
BCRYPT is available on FreeBSD and OpenBSD, but not Linux, so this issue impacts only FreeBSD and OpenBSD systems.
#########################
# Affected iRedAdmin versions
#
This bug was introduced in iRedAdmin (both open source edition and iRedAdmin-Pro) on May 3, 2016, versions released after May 3 contain this bug:
* iRedAdmin-0.6.1 (shipped by iRedMail-0.9.5-1)
* iRedAdmin-Pro-SQL-2.4.0
* iRedAdmin-Pro-LDAP-2.6.0
############
# How to fix it
#
* For iRedAdmin open source edition, please download the latest iRedAdmin-0.6.2 (
http://www.iredmail.org/yum/misc/iRedAdmin-0.6.2.tar.bz2 ) and follow our tutorial to upgrade it:
http://www.iredmail.org/docs/migrate.or.upgrade.iredadmin.html
* For iRedAdmin-Pro, please login to iRedAdmin-Pro as global admin, click the "License" button on top-right corner, click "Send me an email with download link" button to get the latest iRedAdmin-Pro release, then follow our tutorial to upgrade it:
http://www.iredmail.org/docs/migrate.or.upgrade.iredadmin.html
----
Zhang Huangbin, founder of iRedMail project:
http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).