Topic: CRITICAL SECURITY FIX of iRedAdmin on FreeBSD and OpenBSD
We just found a critical security issue of iRedAdmin (both open source edition and iRedAdmin-Pro) on FreeBSD and OpenBSD system, please upgrade it immediately.
Note: iRedMail-0.9.5-1 was repacked with new iRedAdmin release (0.6.2) which contains this fix today.
iRedAdmin calls an incorrect function to verify BCRYPT password hash while admin trying to login, if the admin account exists, iRedAdmin accepts any password and the admin logs in.
Affected Linux/BSD distributions
BCRYPT is available on FreeBSD and OpenBSD, but not Linux, so this issue impacts only FreeBSD and OpenBSD systems.
Affected iRedAdmin versions
This bug was introduced in iRedAdmin (both open source edition and iRedAdmin-Pro) on May 3, 2016, versions released after May 3 contain this bug:
iRedAdmin-0.6.1 (shipped by iRedMail-0.9.5-1)
How to fix it
For iRedAdmin open source edition, please download the latest iRedAdmin-0.6.2 and follow our tutorial to upgrade it: http://www.iredmail.org/docs/migrate.or … admin.html
For iRedAdmin-Pro, please login to iRedAdmin-Pro as global admin, click the "License" button on top-right corner, click "Send me an email with download link" button to get the latest iRedAdmin-Pro release, then follow our tutorial to upgrade it: http://www.iredmail.org/docs/migrate.or … admin.html