Skip to content

M
mailinabox
Switch branch/tag
  1. 23 Sep, 2016 6 commits
  3. 18 Sep, 2016 1 commit
  5. 16 Sep, 2016 1 commit
  7. 15 Sep, 2016 1 commit
  9. 24 Aug, 2016 1 commit
  11. 22 Aug, 2016 1 commit
  13. 20 Aug, 2016 3 commits
    • Joshua Tauberer's avatar
      merge v0.19b hot fix release · 27b4edfc
      Joshua Tauberer authored
      27b4edfc
    • Joshua Tauberer's avatar
      v0.19b · ba75ff78
      Joshua Tauberer authored
      ba75ff78
    • Joshua Tauberer's avatar
      simplify how munin-cgi-graph is called to reduce the attack surface area · a14b1779
      Joshua Tauberer authored 
      Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.

The vulnerability was created by 6d6f3ea3.

See #914.

This is the v0.19b hotfix commit.
      a14b1779
  15. 19 Aug, 2016 1 commit
    • Joshua Tauberer's avatar
      simplify how munin-cgi-graph is called to reduce the attack surface area · 35a360ef
      Joshua Tauberer authored 
      Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.

Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
      35a360ef
  17. 18 Aug, 2016 3 commits
  19. 16 Aug, 2016 2 commits
  21. 15 Aug, 2016 2 commits
  23. 13 Aug, 2016 2 commits
  25. 08 Aug, 2016 6 commits
  27. 01 Aug, 2016 1 commit
    • Joshua Tauberer's avatar
      add SRV records for CardDAV/CalDAV · cf3e1cd5
      Joshua Tauberer authored 
      DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.
      cf3e1cd5
  29. 29 Jul, 2016 7 commits
  31. 29 Jun, 2016 2 commits

Technounit-GROUP 2023