V0.43: Two security fixes

JoshData · September 1, 2019, 11:49am

Hi all. Version v0.43 is published. This version contains two security fixes.

A security issue was discovered in rsync backups. If you have enabled rsync backups, the file id_rsa_miab may have been copied to your backup destination. This file can be used to access your backup destination. If the file was copied to your backup destination, we recommend that you delete the file on your backup destination, delete /root/.ssh/id_rsa_miab on your Mail-in-a-Box, then re-run Mail-in-a-Box setup, and re-configure your SSH public key at your backup destination according to the instructions in the Mail-in-a-Box control panel.
Brute force attack prevention was missing for the managesieve service.

The update also fixes several other problems, including a Nextcloud update problem.

Instructions for updating your box are at https://mailinabox.email/. The full set of changes is below.

mail-in-a-box/mailinabox/blob/v0.43/CHANGELOG.md#changelog

CHANGELOG
=========

v0.43 (September 1, 2019)
-------------------------

Security fixes:

* A security issue was discovered in rsync backups. If you have enabled rsync backups, the file `id_rsa_miab` may have been copied to your backup destination. This file can be used to access your backup destination. If the file was copied to your backup destination, we recommend that you delete the file on your backup destination, delete `/root/.ssh/id_rsa_miab` on your Mail-in-a-Box, then re-run Mail-in-a-Box setup, and re-configure your SSH public key at your backup destination according to the instructions in the Mail-in-a-Box control panel.
* Brute force attack prevention was missing for the managesieve service.

Setup:

* Nextcloud was not upgraded properly after restoring Mail-in-a-Box from a backup from v0.40 or earlier.

Mail:

* Upgraded Roundcube to 1.3.10.
* Fetch an updated whitelist for greylisting on a monthly basis to reduce the number of delayed incoming emails.

This file has been truncated. show original

alento · September 1, 2019, 5:58pm

Question - is there an ETA for the other backup issues … notably the multiple full backup rather than incremental backups, and the saving files as directories? @JoshData

JoshData · September 1, 2019, 8:15pm

I haven’t looked at those issues yet, so no ETA.

blinkingline · September 2, 2019, 4:12pm

Just to confirm, Nextcloud version 15.0.8 is being used in v0.43, correct?
I know that v0.42b says that 15.0.8 was installed in the release notes, but the errors those of us who installed v0.42 saw with the install of v0.42b make me question if that is the case or not.

JoshData · September 2, 2019, 4:39pm

That’s correct. The upgrade error was (hopefully) fixed.

blinkingline · September 2, 2019, 5:49pm

Excellent. I just ran the update and it gave the “Nextcloud is already latest version” status, so it looks good to me!

lloydsmart · September 2, 2019, 8:01pm

Working for me too!

JoshData · September 8, 2019, 8:01pm

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.