Merge branch 'Mailu:master' into patch-1

2025-09-16 09:06:32 +02:00 · 2025-08-24 02:03:32 +02:00
parent b399ef7133 fa2165687c
commit 5b2c0a1800
7 changed files with 14 additions and 7 deletions
--- a/core/base/Dockerfile
+++ b/core/base/Dockerfile
@@ -27,7 +27,7 @@ CMD /bin/bash
 FROM system as build

 ARG MAILU_DEPS=prod
-ARG SNUFFLEUPAGUS_VERSION=0.11.0
+ARG SNUFFLEUPAGUS_VERSION=0.12.0

 ENV VIRTUAL_ENV=/app/venv

--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -156,7 +156,7 @@ services:

 {% if tika_enabled %}
  fts_attachments:
-    image: apache/tika:2.9.2.1-full
+    image: apache/tika:latest-full
    hostname: tika
    logging:
      driver: journald
--- a/towncrier/newsfragments/3899.bugfix
+++ b/towncrier/newsfragments/3899.bugfix
@@ -0,0 +1 @@
+Upgrade to Snuffleupagus 0.12 to fix a NULL ptr deref; re-enable the related rules
--- a/towncrier/newsfragments/3903.bugfix
+++ b/towncrier/newsfragments/3903.bugfix
@@ -0,0 +1 @@
+Upgrade Tika to latest to fix CVE-2025-54988 (XXE). You will need to run setup again for the fix to be applied! This is defence in depth rather than something critical as on docker deployments there is no impact.
--- a/towncrier/newsfragments/3906.bugfix
+++ b/towncrier/newsfragments/3906.bugfix
@@ -0,0 +1,2 @@
+Fix "passphrase changed" errors in snappymail. You may need to run:
+   find webmail/_data_/_default_/storage/ -name .cryptkey -delete
--- a/webmails/snappymail/defaults/application.ini
+++ b/webmails/snappymail/defaults/application.ini
@@ -6,6 +6,7 @@ attachment_size_limit = {{ MAX_FILESIZE }}
 [security]
 allow_admin_panel = Off
 openpgp = On
+insecure_cryptkey = On

 [labs]
 allow_gravatar = Off
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@@ -144,11 +144,11 @@ sp.disable_function.function("ini_set").param("option").value_r("display_errors"

 # Classic webshells patterns
 # Those create SIGSEGV on arm64 for some reason
-#sp.disable_function.function("system>base64_decode").drop();
-#sp.disable_function.function("shell_exec>base64_decode").drop();
-#sp.disable_function.function("exec>base64_decode").drop();
-#sp.disable_function.function("passthru>base64_decode").drop();
-#sp.disable_function.function("proc_open>base64_decode").drop();
+sp.disable_function.function("system>base64_decode").drop();
+sp.disable_function.function("shell_exec>base64_decode").drop();
+sp.disable_function.function("exec>base64_decode").drop();
+sp.disable_function.function("passthru>base64_decode").drop();
+sp.disable_function.function("proc_open>base64_decode").drop();
 sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");

 sp.auto_cookie_secure.enable();
@@ -156,6 +156,8 @@ sp.auto_cookie_secure.enable();
 # TODO: ensure this is up to date
 sp.cookie.name("roundcube_sessauth").samesite("strict");
 sp.cookie.name("roundcube_sessid").samesite("strict");
+sp.cookie.name("smtoken").samesite("strict");
+sp.cookie.name("smctoken").samesite("strict");
 sp.ini_protection.policy_silent_fail();

 # roundcube uses unserialize() everywhere.
				`@@ -0,0 +1 @@`
				`Upgrade to Snuffleupagus 0.12 to fix a NULL ptr deref; re-enable the related rules`
				`@@ -0,0 +1 @@`
				`Upgrade Tika to latest to fix CVE-2025-54988 (XXE). You will need to run setup again for the fix to be applied! This is defence in depth rather than something critical as on docker deployments there is no impact.`