V0.43: Two security fixes

Hi all. Version v0.43 is published. This version contains two security fixes.

  • A security issue was discovered in rsync backups. If you have enabled rsync backups, the file id_rsa_miab may have been copied to your backup destination. This file can be used to access your backup destination. If the file was copied to your backup destination, we recommend that you delete the file on your backup destination, delete /root/.ssh/id_rsa_miab on your Mail-in-a-Box, then re-run Mail-in-a-Box setup, and re-configure your SSH public key at your backup destination according to the instructions in the Mail-in-a-Box control panel.
  • Brute force attack prevention was missing for the managesieve service.

The update also fixes several other problems, including a Nextcloud update problem.

Instructions for updating your box are at https://mailinabox.email/. The full set of changes is below.


Question - is there an ETA for the other backup issues … notably the multiple full backup rather than incremental backups, and the saving files as directories? @JoshData

I haven’t looked at those issues yet, so no ETA.

Just to confirm, Nextcloud version 15.0.8 is being used in v0.43, correct?
I know that v0.42b says that 15.0.8 was installed in the release notes, but the errors those of us who installed v0.42 saw with the install of v0.42b make me question if that is the case or not.

That’s correct. The upgrade error was (hopefully) fixed.

Excellent. I just ran the update and it gave the “Nextcloud is already latest version” status, so it looks good to me!

Working for me too! :smiley:

1 Like

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.