help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Minor Update 7.8.0.2/ActiveSync 2.3.6

Stewart -

Release overview

Release Date: 25 May 2017
Release Versions: On-Premises v7.8.0.2, ActiveSync 2.3.6

Please Note:
Version 7.8.0.2 contains minor fixes required for ActiveSync and security for the atmail 7.8 release. For full details on the atmail 7.8 release, click here.

Security Fix

Vulnerability
Vulnerability Description
Component(s) Impacted
User(s) Impacted
Credit
CSRF Security vulnerability which allows an attacker to upload and import users via CSV. Core, Security all users Vulnerability detected and reported by Vahagn Vardanyan. Thank you!
CSRF Security vulnerability which allows an attacker can change SMTP hostname and hijack all emails. Core, Security all users Vulnerability detected and reported by Vahagn Vardanyan. Thank you!
CSRF Security vulnerability which allows an attacker create a user. Core, Security all users Vulnerability detected and reported by Vahagn Vardanyan. Thank you!
XSS Send email with payload. Core, Security end users Vulnerability detected and reported by Zach Julian. Thank you!
Admin login as

It's been noted that login to user account via admin is being logged as USER LOGIN. The logs does not show that login activity has been made by admin.

webadmin user manager webadmin users Vulnerability detected and reported by Ammad Ali. Thank you!

Bug Fixes

Core Product

Bugfix
Bugfix Description
Component(s) Impacted
User(s) Impacted
Impact Description
Calendar events

Webmail updates calendar events TZ to floating

DAV ActiveSync and CalDAV end users Functionality

Calendar events

Drag and drop of events created in GTM fails to maintain TZ DAV ActiveSync and CalDAV end users Functionality
Attachment uploads

webmail fails to upload *.txt attachments correctly.

webmail interface End users accessing the webmail Interface UI

ActiveSync

Change

Change Description

Component(s) Impacted

User(s) Impacted

Impact Description

Update code base

Updated core ActiveSync codebase to version 2.3.6

ActiveSync End users who use ActiveSync

Functionality

Updated timezone handling Added Timezone guessing ActiveSync End users who use ActiveSync Functionality
Updated username authentication Fixed originalemail / username from auth backend to be used for MAILTO and organizer email in ICS attachments (  caldav backend driver where 'originalUsername' should have been replaced with GetCurrentUsername() (upstream provider bug) ) ActiveSync End users who use ActiveSync Functionality
Updated SyncObject attributes Corrected bug with SyncObject attributes if CDATA present ActiveSync End users who use ActiveSync Functionality
Updated log names changed output logs to push*; ActiveSync End users who use ActiveSync Functionality
Updated photo data encoding Fixed some photo data being base64 encoded twice. ActiveSync End users who use ActiveSync Functionality
 Updated email address formatting Formatting for email address provided from devices to match 'addr-spec' RFC822 rather then RFC2822 ActiveSync End users who use ActiveSync Functionality
Updated license details NET/SMTP introduces new license  http://opensource.org/licenses/bsd-license.php BSD-2-Clause ActiveSync End users who use ActiveSync Functionality

 

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com