Topic: 2 security fixes -- Roundcube and iRedMail (MySQL) backup script
There’re 2 security fixes you need to follow immediately:
*) Roundcube webmail 1.2.4 (and 1.1.8) has been released on March 10, 2017. Including a fix for a recently reported security XSS issue with CSS styles inside an SVG tag.
Please upgrade Roundcube as soon as possible to fix it.
*) Possible backdooring mysqldump backups.
mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported.
If you're running iRedMail with one of OpenLDAP, ldapd (OpenBSD only), MySQL, MariaDB backends, please follow steps below to fix it:
- Open the daily MySQL backup script, it's /var/vmail/backup/backup_mysql.sh by default. if you use different storage directory during iRedMail installation, you can find the base directory with command "postconf virtual_mailbox_base”.
- Find variable name CMD_MYSQLDUMP like below:
export CMD_MYSQLDUMP="mysqldump ..."
- Make sure it has argument "--skip-comments" like below:
export CMD_MYSQLDUMP="mysqldump ... --skip-comments"
- Save the change.