🍂🐄 Mootember Update 2022 - Quarantine & Swagger UI Fix Update - Revision A | Changes
2022-09a (Release: 30th September 2022)
- The Twig template system on which mailcow is based has been updated to version 3.4.3 and closes CVE-2022-39261.
Attention: This CVE is not critical for all mailcow users but only serves to update the packages.
2022-09 (Release: 27th September 2022)
The official September update is here and brings this time unfortunately only a small update, which is not to be ignored, however.
We’ve addressed one minor security issue with the Swagger UI for mailcow. More details in this Article.
Stable changes (stable Branch)
- GitHub Workflows security hardening by @sashashura in https://github.com/mailcow/mailcow-dockerized/pull/4761
- Small typo in Update.sh script fixed by @mindsolve in https://github.com/mailcow/mailcow-dockerized/pull/4762
- Update quarantine_notify.py charset (Fixes the quarantine messages finally again) by @MAGICCC in https://github.com/mailcow/mailcow-dockerized/pull/4758 (this fixes https://github.com/mailcow/mailcow-dockerized/issues/4743)
- Translations (Turkish) from the Weblate Community in https://github.com/mailcow/mailcow-dockerized/pull/4765
- Swagger version was updated by @ntimo in https://github.com/mailcow/mailcow-dockerized/pull/4763
- Send As behavior improved by @macwinnie in https://github.com/mailcow/mailcow-dockerized/pull/4703
Vulnerability in Swagger UI
Before we talk about the Nightly Updates, let’s talk about the Swagger vulnerability.
This allowed a script to be loaded via the URL call of the Swagger UI which could convert the page into a credit card phishing portal, for example.
We have opened a CVE case for this: CVE-2022-39258
On GitHub you can read the more detailed informations: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45
Before panic kicks in this is the most harmless of the security vulnerabilities so far.
We advise (as always) to update soon of course!
Nightly changes (Bootstrap 5 update)
So, let’s move on to the Nightly Updates, which are fully focused on the Bootstrap 5 update:
- [NEW] Sieve Access can now be toggled via Mass-Actions
- [NEW] Added a Loading Animation for the Container Charts
- [NEW] The Public IP-Adresses of your Mailserver (done with dig inside the containers) are now displayed on the Dashboard Page.
- [FIX] Fixed some Layout Issues (especially Color Changes)
As some of you may have inferred, we are listening to your feedback regarding the Bootstrap 5 update. We are still diligently collecting feedback on this.
Keep in mind: The mentioned Bootstrap 5 changes only affect the Nightly Builds (for now).
Learn here how you can obtain Nightly Builds too: https://docs.mailcow.email/de/i_u_m/i_u_m_update/#neu-nightly-updates-beziehen or use the new Nightly Demo.
More information and the login data for the demo can be found here: https://docs.mailcow.email/#demos
That would be it also so far.
Until then, stay healthy and have a happy #Hacktober
Your mailcow Team