CVE-2021-40841: Changelog

Changes in version 2.13.1 (01/30/2022):

• fixed wrong table order in MySQL schema (table APIKEYS couldn’t be created)
• implemented rate limit for dynamic DNS updates (default: 15 updates per 10 minutes, configurable via LCDefaults key dns.updateLimit)
• create /etc/ssl/chains if not existing on initial Apache configuration
• updated Expat library to v2.4.4

Changes in version 2.13.0 (10/15/2021):

• improved usability for “Delete Mailbox” button (prevent unintended deletion of mailbox)
• preparing for rate limiting Dynamic DNS updates
• security fix (file access - low impact level)
• security fix (stored XSS within own customer data, low impact level)
• updated Site.pro module
• IP addresses can optionally be added only to web server vHost config, but not to DNS
• Debian/Ubuntu: moving intermediate certificate files from /etc/ssl/certs/*-ca.crt to /etc/ssl/chains/*-ca.crt, adjusting Apache and ProFTPD configuration and running c_rehash (workaround for local OpenSSL validation problem/bug with Let’s-Encrypt “R3” certificate, see blog post)
• disabling of SSH accounts did not work when using private key authentication
• fixed warning regarding missing systemd-reload after update
• fixed bug in Let’s Encrypt module when finalization has failed and is in “processing” state
• DNS updates got stuck in a loop when multiple large IP groups where updated within a short interval

Changes in version 2.12.2 (08/25/2021):

• allow disabling default MX records when setting custom MX records
• improved detection of CentOS Stream 8
• updated OpenSSL to 1.1.1l
• differing MX was not used when adding a new domain

Changes in version 2.12.1 (08/11/2021):

• improved displaying MX records and SMTP server name
• autoresponder status wasn’t displayed in mailbox list

Changes in version 2.12.0 (07/29/2021):

• allow configuration of PHP FPM pool settings (e.g. pm.max_children) via php.ini management
• allow configuration of differing MX records for Postfix
• edit mailbox: added “info” tab with all mailbox settings at a glance
• support for Debian 11 (“Bullseye”)
• support for CentOS Stream 8
• log SASL user name in lcpolicyd when rejecting e-mails
• improved security of password protection when using NGINX as reverse proxy for Apache
• also removing /var/tmp from open_basedir in php.ini when running PHP via FPM
• show subscription comment also to end-users (in webspace overview) to better differentiate between multiple subscriptions
• prepared new licensing features
• improved compatibility of Autodiscover feature with Microsoft Outlook Connectivity Test
• support deletion of dynamic DNS records (A or AAAA)
• connection to MySQL now also possible via IP (instead of only UNIX socket)
• fixed timing problem when updating Postfix map files (could lead to deadlock under certain conditions)
• Postfix sender_bcc/recipient_bcc also contained addresses without destination address
• updating the validity period of SSL intermediate certificates if this is missing
• fixed bug when allowing external database access for existing databases

Changes in version 2.11.3 (04/06/2021):

• allow configuration of a default SPF record (if no custom SPF record is defined for a domain)
• changed default location of most .pid files from /var/run/ to /run/ on Debian/Ubuntu
• supporting installation with mod_php and without php-cgi
• allow disabling creation of catch-all e-mail addresses (existing catch-all addresses can still be managed)
• updated OpenSSL to 1.1.1k
• allowing UTF symbols (e.g. emojis) in domain names
• disabling sql_mode ONLY_FULL_GROUP_BY when using MySQL/MariaDB as backend database for LiveConfig
• when adding/deleting directly managed secondary DNS servers from DNS templates, the zones.liveconfig file sometimes not was updated
• DNSSEC keys where removed under certain conditions when DNS templates where modified
• fixed expiry date of intermediate SSL certificates (some certificate chains where shown as being expired)

Changes in version 2.11.2 (02/22/2021):

• fixed bug in PHP version list (list was empty in some cases)

Changes in version 2.11.1 (02/22/2021):

• updated OpenSSL, Unbound and cURL libraries
• restricted PHP versions are marked in overview list
• disabled reverse DNS lookups in ProFTPD (configuration needs to be refreshed)
• checking BCC destinations against forward domains blacklist
• number of subdomains using the default PHP version was not counted correctly
• fixed several missing translations

Changes in version 2.11.0 (02/16/2021):

• usage of outdated PHP versions can now be restricted
• a copy of all incoming and outbound e-mails can now be sent via BCC to another address (e.g. for e-mail archiving)
• added SOAP method CustomerDelete()
• a comment can now be added to subscriptions (to better differentiate between several subscriptions)
• ignore errors when LogRotate postrotate command fails
• improved error handling when PHP-FPM is not installed and a subscription was configured with PHP-FPM
• rejecting e-mails to local accounts, except those listed in /etc/aliases
• show message when OpenDKIM wasn’t found
• increased maximum password length for HostingMailboxAdd/Edit() to 200 chars
• private log files are now also rotated even if the user has exceeded his filesystem quota
• suPHP option is not available any more for new hosting plans & subscriptions (suPHP is deprecated and will not be supported in the future)
• option “skip DNS check” was ignored when adding a new SSL certificate (worked only when editing existing SSL jobs)
• fixed bug in detection of PHP 7.4 FPM on Ubuntu 20
• number of subdomains using the default PHP version was not counted correctly
• fixed bug in UsageStats (HostingSubscriptionGet()) - data was returned in bytes/kB instead of MB

Changes in version 2.10.4 (11/13/2020):

• replaced %h with %a in Apache LogFormat
• userprefs path for SpamAssassin now is always created when spam filter is enabled for a mailbox (allows using the Bayes filter)
• fixed JavaScript escaping (affected some popup windows on French interface)
• don’t use system skeleton directory when creating users on CentOS/RHEL

Changes in version 2.10.3 (11/05/2020):

• fixed bug when changing database password on MariaDB 10.1.x
• also display installed but unused PHP versions at Server Management -> Web
• fixed bug in login informations popup (when no language was configured for the receiving user)

Changes in version 2.10.2 (10/30/2020):

• support enabling DNSSEC when adding domain via SOAP API
• show end-of-life (EOL) date and comments in PHP version select dropdown
• edit comments and EOL dates of PHP versions (Server Management -> Web)
• domains/subdomains added via SOAP API are now displayed in “default view” by default
• when a subscription is deleted, all assigned SSL certificates are now automatically deleted too
• e-mail with login informations is now prepared in language of recipient
• user language can be selected when adding a customer or editing a user
• Webspace overview doesn’t show the host ID any more, but the server name (hostname)
• server description is now displayed in server selection dropdown (when creating a new subscription)
• permissions of directories created with LC.fs.mkdir_rec were too restrictive
• support MySQL “authentication_string” authorization with upgraded databases
• displayed wrong size of DNSSEC keys (factor 8)
• fixed HTML escaping of translated phrases
• when disabling a user, active sessions are immediately closed

Changes in version 2.10.1 (09/17/2020):

• some configuration files where created with wrong permissions (error in v2.10.0)

Changes in version 2.10.0 (09/16/2020):

• allow wildcard domains (e.g. *.example.org or even *.tld) for e-mail blacklists/whitelists
• SOAP method HostingMailboxGet() added (returns configuration of an e-mail address)
• use /var/www/.skel (if existing) as so-called “skeleton directory” when adding new webspace accounts
• support global configuration overrides for PHP FPM pools (Lua table LC.web.FPMCONFIG)
• checking expire date of intermediate (chain) SSL/TLS certificates
• full support for CentOS 8
• full support for Ubuntu 20.04 LTS
• IFRAME-API: added toTop() javascript function to scroll to top of page from within IFRAME content
• supporting openSUSE 15.1
• SOAP method HostingSubscriptionGet() now also returns a list of all configured e-mail addresses
• prepared for repository GPG key rollover (key id: D409AC6D65FE6664)
• supporting domain-specific Apache configuration includes also with proxy destinations
• updated OpenSSL to v1.1.1g
• supporting new privilege system on MariaDB 10.4
• changed default mailbox home directory from /var/mail to /var/mail/%C/%I (fixes problem with repeated mails from autoresponder)
• improved MySQL authentication to work with MySQL 8.x
• support auth_socket authentication (without password) for MySQL root user
• iOS mobileconfig supports multiple mailboxes within same domain on same device
• iOS mobileconfig supports disabling IMAPS/POP3S (port 993/995)
• added autocomplete attributes to password fields for better usability
• minor CSS improvements
• improved NGINX vHost configuration for web statistics
• improved NGINX reverse proxy configuration
• SOAP method HostingSubscriptionGet() now also returns configured PHP version per subdomain as well as usage data of the subscription (UsageStats)
• increased limit for php.ini settings (text) from 512 to 4096 byte
• changed default setting for php.ini setting opcache.file_cache from %HOME%/tmp to "” (empty string), effectively disabling file cache by default
• added %PHP% placeholder in php.ini settings (allows option opcache.file_cache to be set per PHP version, e.g. %HOME%/.cache/opcache.%PHP%)
• fixed wrong password limit when enabling/modifying OTP configuration
• fixed minor bug when searching for full mail address in list of mailboxes
• domain was not removed from Postfix’ recipient_access file when locked subscription was deleted
• fixed bug when creating additional ftp accounts using HostingFtpAdd() (affected version 2.9.x)
• fixed bug resetting shell to nologin when reseller has edited an existing hosting plan
• fixed problem in ACMEv2 client when using e.g. Buypass CA
• .htpasswd file for web statistics was not generated when using only NGINX
• disabling TLS1/TLS1.1 was ignored with NGINX
• SSL cipher selection (default/strong) wasn’t applied to NGINX vHosts
• fixed bug when changing password on MySQL 8.x

Changes in version 2.9.3 (03/03/2020):

• fixed problem regarding Let’s Encrypt update when MySQL was being used as backend database

Changes in version 2.9.2 (03/03/2020):

• allow downloading list of SSL certificates as CSV file
• added option to disable TLSv1/TLSv1.1 per IP group for web server
• added SOAP methods HostingDCVCreate()/HostingDCVDelete()
• improved systemd configuration of liveconfig/lcclient
• ACMEv2: some fixes to work with Let’s Encrypt Staging API
• automated renewal of SSL certificates from Let’s Encrypt affected by their “CAA rechecking bug”
• lcphp: PHP_BINARY environment variable got lost
• SAN domains were ignored in SSL orders (v2.9.x)

Changes in version 2.9.1 (12/13/2019):

• SSL certificates: added filter option “only own certificates”
• salutation (contact data) can now be left empty
• table search string wasn’t saved during page refresh
• fixed display of version number in “Servers” report
• fixed bug (missing permissions) when adding a FTP user as an additional LiveConfig user
• fixed missing permission check when editing domains at “my hosting” as additional LiveConfig user
• comparing HC_REFRESHCFG with version number (revision number not available any more)
• fixed bug in quota check when editing mailboxes

Changes in version 2.9.0 (11/29/2019):

• Let’s Encrypt: retry domain validation after HTTP errors (eg. timeout with Let’s Encrypt API) every 15 minutes
• the DNS checks for automated SSL/TLS certificates can now be individually skipped (e.g. when using a CDN)
• when private IPv4 addresses are used (without corresponding IP_NAT data) then the DNS checks for Let’s Encrypt are automatically skipped
• it’s now possible to change the PHP CLI used by the Application Installer (using Lua variable LC.web.PHPCLI)
• automatic configuation of automated SSL certificates can now optionally be disabled (using checkboxes in order form)
• allow binding Postfix only to localhost (127.0.0.1)
• when an additional admin user adds a new server, he now automatically gets all permissions for that server
• when a domain is deleted, optionally all assigned SSL certificates can be deleted too
• improved detection of matching wildcard SSL certificates when configuring subdomains
• list of SSL certificates can now be filtered (expired, unassigned, …)
• mass mails aren’t sent to suspended customers any more (can be enabled via checkbox)
• overview of SSL jobs (start page) doesn’t show entries of suspended customers any more
• allow editing e-mail addresses of Let’s Encrypt accounts
• display HTTPS links in AppInstaller if domain is configured with SSL
• AppInstaller: uninstall sometimes failed when directory of application didn’t yet exist or was already deleted before uninstall
• deleting a domain with existing mailboxes as reseller sometimes returned an error (missing permissions)
• end users with hosting plans created via GUI didn’t have the permission to view the LiveConfig event log
• fixed display error when editing a subdomain while parent domain has “(+www)” configuration enabled, preferring the “.www” subdomain
• fixed bug when merging www/non-www subdomains if they were configured as redirect
• don’t allow to automatically order SSL certificate when adding a new domain if user has no SSL management permissions
• fixed bug when adding an automated SSL certificate with automatic HTTPS redirect (non-webspace targets where configured incorrectly)
• fixed bug when configuring FPM with default PHP on CentOS (wrong directory for pool configuration)
• lcsam: removed duplicate line breaks in X-Spam-Report

Archive

• Changelog for version 2.0-2.8
• Changelog for version 1.x