Release overview
Release Date: 25 May 2017
Release Versions: On-Premises v7.8.0.2, ActiveSync 2.3.6
⚠ Please Note:
Version 7.8.0.2 contains minor fixes required for ActiveSync and security for the atmail 7.8 release. For full details on the atmail 7.8 release, click here.
Security Fix
|
Vulnerability
|
Vulnerability Description
|
Component(s) Impacted
|
User(s) Impacted
|
Credit
|
|---|---|---|---|---|
| CSRF | Security vulnerability which allows an attacker to upload and import users via CSV. | Core, Security | all users | Vulnerability detected and reported by Vahagn Vardanyan. Thank you! |
| CSRF | Security vulnerability which allows an attacker can change SMTP hostname and hijack all emails. | Core, Security | all users | Vulnerability detected and reported by Vahagn Vardanyan. Thank you! |
| CSRF | Security vulnerability which allows an attacker create a user. | Core, Security | all users | Vulnerability detected and reported by Vahagn Vardanyan. Thank you! |
| XSS | Send email with payload. | Core, Security | end users | Vulnerability detected and reported by Zach Julian. Thank you! |
| Admin login as |
It's been noted that login to user account via admin is being logged as USER LOGIN. The logs does not show that login activity has been made by admin. |
webadmin user manager | webadmin users | Vulnerability detected and reported by Ammad Ali. Thank you! |
Bug Fixes
Core Product
|
Bugfix
|
Bugfix Description
|
Component(s) Impacted
|
User(s) Impacted
|
Impact Description
|
|---|---|---|---|---|
| Calendar events |
Webmail updates calendar events TZ to floating |
DAV | ActiveSync and CalDAV end users | Functionality |
|
Calendar events |
Drag and drop of events created in GTM fails to maintain TZ | DAV | ActiveSync and CalDAV end users | Functionality |
| Attachment uploads |
webmail fails to upload *.txt attachments correctly. |
webmail interface | End users accessing the webmail Interface | UI |
ActiveSync
| Change |
Change Description |
Component(s) Impacted |
User(s) Impacted |
Impact Description |
|---|---|---|---|---|
| Update code base |
Updated core ActiveSync codebase to version 2.3.6 |
ActiveSync | End users who use ActiveSync |
Functionality |
| Updated timezone handling | Added Timezone guessing | ActiveSync | End users who use ActiveSync | Functionality |
| Updated username authentication | Fixed originalemail / username from auth backend to be used for MAILTO and organizer email in ICS attachments ( caldav backend driver where 'originalUsername' should have been replaced with GetCurrentUsername() (upstream provider bug) ) | ActiveSync | End users who use ActiveSync | Functionality |
| Updated SyncObject attributes | Corrected bug with SyncObject attributes if CDATA present | ActiveSync | End users who use ActiveSync | Functionality |
| Updated log names | changed output logs to push*; | ActiveSync | End users who use ActiveSync | Functionality |
| Updated photo data encoding | Fixed some photo data being base64 encoded twice. | ActiveSync | End users who use ActiveSync | Functionality |
| Updated email address formatting | Formatting for email address provided from devices to match 'addr-spec' RFC822 rather then RFC2822 | ActiveSync | End users who use ActiveSync | Functionality |
| Updated license details | NET/SMTP introduces new license http://opensource.org/licenses/bsd-license.php BSD-2-Clause | ActiveSync | End users who use ActiveSync | Functionality |
Comments