URGENT: security fix required for Nginx configured by iRedMail
144 views
Skip to first unread message
Zhang Huangbin
Feb 14, 2018, 1:31:20 PM2/14/18
to ired...@googlegroups.com
Dear all,
We discovered 2 security issues with Nginx settings configured by iRedMail, please follow our tutorial below to fix them.
###############
# About the issue
Default Nginx settings configured by iRedMail doesn’t block access to per-user GPG keys generated with Roundcube (plugin `enigma` must be enabled, and it's enabled by default with default iRedMail settings) and all dot files.
For more details, please check link below:
http://legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
All credit goes to bitbucket user @exploitagency, thanks for the report in our issue tracker:
https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-default
############################
# Affected Linux/BSD distributions
It affects ALL Linux/BSD distributions supported by iRedMail with Nginx running.
######################
# Affected iRedMail releases
It affects iRedMail-0.9.0 and later releases.
############
# How to fix it
Please check our forum post to get a step-by-step tutorial with better text format:
https://forum.iredmail.org/topic13926.html
----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
Available on Telegram: https://t.me/iredmail
We discovered 2 security issues with Nginx settings configured by iRedMail, please follow our tutorial below to fix them.
###############
# About the issue
Default Nginx settings configured by iRedMail doesn’t block access to per-user GPG keys generated with Roundcube (plugin `enigma` must be enabled, and it's enabled by default with default iRedMail settings) and all dot files.
For more details, please check link below:
http://legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
All credit goes to bitbucket user @exploitagency, thanks for the report in our issue tracker:
https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-default
############################
# Affected Linux/BSD distributions
It affects ALL Linux/BSD distributions supported by iRedMail with Nginx running.
######################
# Affected iRedMail releases
It affects iRedMail-0.9.0 and later releases.
############
# How to fix it
Please check our forum post to get a step-by-step tutorial with better text format:
https://forum.iredmail.org/topic13926.html
----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
Available on Telegram: https://t.me/iredmail
Reply all
Reply to author
Forward
0 new messages