1. 20 Aug, 2016 2 commits
    • Joshua Tauberer's avatar
      v0.19b · ba75ff78
      Joshua Tauberer authored
      ba75ff78
    • Joshua Tauberer's avatar
      simplify how munin-cgi-graph is called to reduce the attack surface area · a14b1779
      Joshua Tauberer authored
      Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
      
      Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
      
      The vulnerability was created by 6d6f3ea3.
      
      See #914.
      
      This is the v0.19b hotfix commit.
      a14b1779
  2. 18 Aug, 2016 2 commits
  3. 13 Aug, 2016 1 commit
  4. 08 Aug, 2016 3 commits
  5. 01 Aug, 2016 1 commit
    • Joshua Tauberer's avatar
      add SRV records for CardDAV/CalDAV · cf3e1cd5
      Joshua Tauberer authored
      DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.
      cf3e1cd5
  6. 29 Jul, 2016 7 commits
  7. 29 Jun, 2016 2 commits
  8. 27 Jun, 2016 4 commits
  9. 12 Jun, 2016 3 commits
  10. 10 Jun, 2016 3 commits
  11. 06 Jun, 2016 4 commits
  12. 02 Jun, 2016 2 commits
    • Joshua Tauberer's avatar
      v0.18c · 6666d28c
      Joshua Tauberer authored
      6666d28c
    • Joshua Tauberer's avatar
      Dovecot LMTP accepted all mail regardless of whether destination was a user,... · 66675ff2
      Joshua Tauberer authored
      Dovecot LMTP accepted all mail regardless of whether destination was a user, broken by ae8cd4ef, fixes #852
      
      In the earlier commit, I added a Dovecot userdb lookup. Without a userdb lookup, Dovecot would use the password db for user lookups. With a userdb lookup we can support iterating over users.
      
      But I forgot the WHERE clause in the query, resulting in every incoming message being accepted if the user database contained any users at all. Since the mailbox path template is the same for all users, mail was delivered correctly except that mail that should have been rejected was delivered too.
      66675ff2
  13. 17 May, 2016 3 commits
  14. 16 May, 2016 3 commits