Security Update - weak salts for auth methods md5/sha1.salted

@barryo barryo released this Apr 11, 2016 · 18 commits to master since this release

In opensolutions/OSS-Framework#43 it was pointed out that a typo in the authentication code meant that the md5.salted and sha1.salted password schemes didn't actually use the requested salt string but a fixed salt of "md5.salted" and "sha1.salted" respectively.

This has been corrected in this commit: https://git.io/vV5iE

A note to this effect has been added to ViMbAdmin is this commit: https://git.io/vV5ii

As a result of this, "md5.salted" and "sha1.salted" have been replaced with hyphenated versions: "md5-salted" and "sha1-salted" which will use the actual salt as requested.

For all existing ViMbAdmin installations, "md5.salted" and "sha1.salted" will continue to work but with the static salts of "md5.salted" and "sha1.salted" respectively.

One should always pick a hashing function as strong as your mail system allows. At time of writing, Dovecot ( http://wiki2.dovecot.org/Authentication/PasswordSchemes ) recommends one of BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT in descending order of strength

As such, the default version ViMbAdmin ships with in application.ini.dist is now:

defaults.mailbox.password_scheme = "dovecot:BLF-CRYPT"

While no code changes have occurred in ViMbAdmin, we've pushed a new release to mark this issue:

https://github.com/opensolutions/ViMbAdmin/releases/tag/3.0.15

NB: no code changes have actually occurred in ViMbAdmin but rather a library used by ViMbAdmin. To get the new version of the library, just run:

composer update 

Downloads

Bug Fix Release

@barryo barryo released this Apr 4, 2016 · 27 commits to master since this release

V Merge pull request #127 from Spiral23/dev (87bf5d8 - Barry O'Donovan - 2016-04-04)

  • Really really close #176 ;-) (ddf8963 - Barry O'Donovan - 2016-04-03)
  • Close #174 (06929c5 - Barry O'Donovan - 2016-04-02)
  • Really close #83 (19a5911 - Barry O'Donovan - 2016-04-02)
  • Really fix composer smarty reference (05e23fd - Barry O'Donovan - 2016-04-02)
  • Tidy up PR #134 (165fae8 - Barry O'Donovan - 2016-04-02)
  • Make sure the toggle function for the alias return the correct value to return error message to user why a alias could not be deactivated. (b65ac65 - Matthias Fechner - 2014-09-29)
  • A not existing hook function in a plugin will always cause a true return value to not break interrupt flow. (d4f2fd6 - Matthias Fechner - 2014-09-29)
  • If an alias is deleted, continue only, if all called hooks from all plugins give green light to continue with the deletion. (13120a8 - Matthias Fechner - 2014-09-27)
  • Added the possibility that a plugin function can stop the workflow if it return a false. (3a0e58e - Matthias Fechner - 2014-09-27)

Downloads

Bug Fix Release (plus small features)

@barryo barryo released this Apr 2, 2016 · 40 commits to master since this release

  • Merge pull request #110 from ghost/patch-1 (3a626a3 - Barry O'Donovan - 2016-04-02)
  • Merge pull request #145 from reissmann/feature/103_autocomplete (4a951a2 - Barry O'Donovan - 2016-04-02)
  • Merge pull request #152 from kaechele/patch-1 (5380e97 - Barry O'Donovan - 2016-04-02)
  • [BF] fix min password length - fixes #158 (98084e8 - Barry O'Donovan - 2016-04-02)
  • [BF|IM] Allow new style domain names - fixes #165 (60a4026 - Barry O'Donovan - 2016-04-02)
  • Merge pull request #172 from troggy/fix-email-validation (de87d78 - Barry O'Donovan - 2016-04-02)
  • Allow TLDs longer then 4 chars (f048df9 - Kosta Korenkov - 2016-03-23)
  • Use Smarty from Packagist - fixes #168 #closes #169 (b78a4ce - Barry O'Donovan - 2016-03-16)
  • More securely parse the version - fixes #161 (27775f0 - Barry O'Donovan - 2016-01-07)
  • [NF] new mail/homedir substitution option (b644475 - Barry O'Donovan - 2015-08-28)
  • Fix mail config typo in sample config (235b206 - Felix Kaechele - 2015-08-28)
  • Update README.md (dccd8b8 - Barry O'Donovan - 2015-07-20)
  • disable autocompletion on password formfields. fixes #103 and fixes #144. (3f70145 - Sven Reissmann - 2015-07-08)
  • Update vimbadmin (e2fce46 - Barry O'Donovan - 2015-06-02)

Downloads

Bug Fix Release (plus small features)

@barryo barryo released this May 31, 2015 · 56 commits to master since this release

  • [BF] Fix #139 (4e07b1f - Barry O'Donovan - 2015-05-31)
  • Create CONTRIBUTING.md (c24c04a - Barry O'Donovan - 2015-03-28)
  • Merge pull request #130 from Tribal-Dolphin/master (549882e - Barry O'Donovan - 2015-03-14)
  • Domain Form accepts plugins (86db6b4 - Tribal-Dolphin - 2015-03-14)
  • Merge pull request #129 from Tribal-Dolphin/master (002be21 - Barry O'Donovan - 2015-03-14)
  • Domain Hook (591cd3b - Tribal-Dolphin - 2015-03-14)
  • Domain Hooks (88783c2 - Tribal-Dolphin - 2015-03-14)

## Domain Hooks

The following domain hooks have been added for plugins with thanks to @Tribal-Dolphin:

  • domain_add_formPostProcess
  • domain_add_addPrepare
  • domain_add_addPrevalidate
  • domain_add_addPostvalidate
  • domain_add_addFinish
  • domain_purge_preRemove
  • domain_purge_purgeFinish

Downloads

Bug fix release

@barryo barryo released this Jan 20, 2015 · 64 commits to master since this release

Fix a bug that stopped all database tables from being created.

Downloads

Chrome v35 fix

@barryo barryo released this Jun 10, 2014 · 137 commits to master since this release

Pop-ups stopped working in the latest release of Google Chrome. This is fixed by updating the throbber.js library.

Downloads

Bug fix release

@barryo barryo released this Jun 10, 2014 · 74 commits to master since this release

Fix a bug that prevented non-super admins from adding aliases.

Downloads

Smarty and Chrome v35 fixes

@barryo barryo released this Jun 7, 2014 · 76 commits to master since this release

Pop-ups stopped working in the latest release of Google Chrome. This is fixed by updating the throbber.js library.

Smarty is now pushed to v3.1.18.

Downloads

Smarty fixes

@barryo barryo released this May 20, 2014 · 81 commits to master since this release

Another minor version bump to fix issues caused by Smarty's releases. We now hardcode the required version of Smarty to 3.1.17. This is a temporary solution which we can hopefully remove with Smarty 3.1.19.

Downloads

Bug fix release

@barryo barryo released this May 8, 2014 · 83 commits to master since this release

A small number of bug fixes. The main one is a break in composer/Smarty which the folks at Smarty say will be fixed in their next release.

  • [BF] Fix Smarty date_format issue (11a6466 - Barry O'Donovan - 2014-05-08)
  • [BF] Fix issue with Smarty at the moment (2) (a80abc5 - Barry O'Donovan - 2014-05-05)
  • [BF] Seems to be an issue with Smarty at the moment - this fixes it (d91b97f - Barry O'Donovan - 2014-05-03)
  • [BF] Fix mailing lists (234539c - Barry O'Donovan - 2014-04-07)

Reminder: Upgrade instructions at https://github.com/opensolutions/ViMbAdmin/wiki/Updating

Downloads