Attention: 2 security fixes -- Roundcube and iRedMail (MySQL) backup script
632 views
Skip to first unread message
Zhang Huangbin
Mar 15, 2017, 11:00:21 PM3/15/17
to ired...@googlegroups.com
Dear all,
There’re 2 security fixes you need to follow immediately:
*) Roundcube webmail 1.2.4 (and 1.1.8) has been released on March 10, 2017. Including a fix for a recently reported security XSS issue with CSS styles inside an SVG tag.
Please upgrade Roundcube as soon as possible to fix it.
*) Possible backdooring mysqldump backups.
Quote from https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/
"mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported.”
If you’re running iRedMail with one of OpenLDAP, ldapd (OpenBSD only), MySQL, MariaDB backends, please follow steps below to fix it:
- Open the daily MySQL backup script, it's /var/vmail/backup/backup_mysql.sh by default. if you use different storage directory during iRedMail installation, you can find the base directory with command "postconf virtual_mailbox_base”.
- Find variable name CMD_MYSQLDUMP like below:
export CMD_MYSQLDUMP="mysqldump ..."
- Make sure it has argument "--skip-comments" like below:
export CMD_MYSQLDUMP="mysqldump ... --skip-comments"
- Save the change.
----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
Available on Telegram: https://t.me/iredmail
There’re 2 security fixes you need to follow immediately:
*) Roundcube webmail 1.2.4 (and 1.1.8) has been released on March 10, 2017. Including a fix for a recently reported security XSS issue with CSS styles inside an SVG tag.
Please upgrade Roundcube as soon as possible to fix it.
*) Possible backdooring mysqldump backups.
Quote from https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/
"mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported.”
If you’re running iRedMail with one of OpenLDAP, ldapd (OpenBSD only), MySQL, MariaDB backends, please follow steps below to fix it:
- Open the daily MySQL backup script, it's /var/vmail/backup/backup_mysql.sh by default. if you use different storage directory during iRedMail installation, you can find the base directory with command "postconf virtual_mailbox_base”.
- Find variable name CMD_MYSQLDUMP like below:
export CMD_MYSQLDUMP="mysqldump ..."
- Make sure it has argument "--skip-comments" like below:
export CMD_MYSQLDUMP="mysqldump ... --skip-comments"
- Save the change.
----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
Available on Telegram: https://t.me/iredmail
Zhang Huangbin
Mar 16, 2017, 12:13:03 PM3/16/17
to ired...@googlegroups.com
> On Mar 16, 2017, at 11:00 AM, Zhang Huangbin <z...@iredmail.org> wrote:
>
> There’re 2 security fixes you need to follow immediately:
No new feature or other bug fixes in this repack, so no upgrade tutorial required for deployed iRedMail-0.9.6 servers.
Reply all
Reply to author
Forward
0 new messages