Release overview
Release Date: 25 May 2017
Release Versions: On-Premises v7.8.0.2, ActiveSync 2.3.6
⚠ Please Note:
Version 7.8.0.2 contains minor fixes required for ActiveSync and security for the atmail 7.8 release. For full details on the atmail 7.8 release, click here.
Security Fix
Vulnerability
|
Vulnerability Description
|
Component(s) Impacted
|
User(s) Impacted
|
Credit
|
---|---|---|---|---|
CSRF | Security vulnerability which allows an attacker to upload and import users via CSV. | Core, Security | all users | Vulnerability detected and reported by Vahagn Vardanyan. Thank you! |
CSRF | Security vulnerability which allows an attacker can change SMTP hostname and hijack all emails. | Core, Security | all users | Vulnerability detected and reported by Vahagn Vardanyan. Thank you! |
CSRF | Security vulnerability which allows an attacker create a user. | Core, Security | all users | Vulnerability detected and reported by Vahagn Vardanyan. Thank you! |
XSS | Send email with payload. | Core, Security | end users | Vulnerability detected and reported by Zach Julian. Thank you! |
Admin login as |
It's been noted that login to user account via admin is being logged as USER LOGIN. The logs does not show that login activity has been made by admin. |
webadmin user manager | webadmin users | Vulnerability detected and reported by Ammad Ali. Thank you! |
Bug Fixes
Core Product
Bugfix
|
Bugfix Description
|
Component(s) Impacted
|
User(s) Impacted
|
Impact Description
|
---|---|---|---|---|
Calendar events |
Webmail updates calendar events TZ to floating |
DAV | ActiveSync and CalDAV end users | Functionality |
Calendar events |
Drag and drop of events created in GTM fails to maintain TZ | DAV | ActiveSync and CalDAV end users | Functionality |
Attachment uploads |
webmail fails to upload *.txt attachments correctly. |
webmail interface | End users accessing the webmail Interface | UI |
ActiveSync
Change |
Change Description |
Component(s) Impacted |
User(s) Impacted |
Impact Description |
---|---|---|---|---|
Update code base |
Updated core ActiveSync codebase to version 2.3.6 |
ActiveSync | End users who use ActiveSync |
Functionality |
Updated timezone handling | Added Timezone guessing | ActiveSync | End users who use ActiveSync | Functionality |
Updated username authentication | Fixed originalemail / username from auth backend to be used for MAILTO and organizer email in ICS attachments ( caldav backend driver where 'originalUsername' should have been replaced with GetCurrentUsername() (upstream provider bug) ) | ActiveSync | End users who use ActiveSync | Functionality |
Updated SyncObject attributes | Corrected bug with SyncObject attributes if CDATA present | ActiveSync | End users who use ActiveSync | Functionality |
Updated log names | changed output logs to push*; | ActiveSync | End users who use ActiveSync | Functionality |
Updated photo data encoding | Fixed some photo data being base64 encoded twice. | ActiveSync | End users who use ActiveSync | Functionality |
Updated email address formatting | Formatting for email address provided from devices to match 'addr-spec' RFC822 rather then RFC2822 | ActiveSync | End users who use ActiveSync | Functionality |
Updated license details | NET/SMTP introduces new license http://opensource.org/licenses/bsd-license.php BSD-2-Clause | ActiveSync | End users who use ActiveSync | Functionality |
Comments