Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.

The vulnerability was created by 6d6f3ea3.

See #914.

This is the v0.19b hotfix commit.

Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.

fixes #911

Merge pull request #900 from mail-in-a-box/code_of_conduct

Signed-off-by: Marius Blüm <marius@lineone.io>

Merge https://github.com/mar1u5/mailinabox

fixes #901

closes #898

Signed-off-by: Marius Blüm <marius@lineone.io>

Signed-off-by: Marius Blüm <marius@lineone.io>

DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.

This is checked during preflight. See https://github.com/mail-in-a-box/mailinabox/issues/885 (#889)

Added information about API endpoints

add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon

Small extension to mail log management script

Remove owncloud log configuration from initial setup and only apply it during the configuration updates. This applies to both the timezone and the log format

Owncloud needs more time to detect blocks. It doesn't respond as fast as the other services. Also owncloud logs UTC (since latest update) even though the timezone is not UTC. Also to detect a block, we get a timeout instead of a refused)

for DANE, the smtp_tls_mandatory_protocols setting seems like it also needs to be set (unlike the cipher settings, this isn't documented to be in addition to the non-mandatory setting)

outbound SMTP connections should use the same TLS settings as inbound: drop SSLv2, SSLv3, anonymous ciphers, RC4

Per http://googleappsupdates.blogspot.ro/2016/05/disabling-support-for-sslv3-and-rc4-for.html, Google is about to do the same.

fixes #611