1730: Use alpine 3.13 to fix CVE-2020-25275 and CVE-2020-24386 r=mergify[bot] a=micw
## What type of PR?
bug-fix
## What does this PR do?
Upgrade dovecot alpine to 3.13 to fix CVEs in dovecot
### Related issue(s)
- #1720
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Michael Wyraz <michael@wyraz.de>
- idna.encode does not encode upper-case letters,
so .lower() has to be called on value not on result
- split email-address on '@' only once
- converted '*'.format(*) to f-strings
- added docstrings
- removed from_dict method
- code cleanup/style (list concat, exceptions, return&else, line-length)
- added TODO comments on possible future changes
- revived original config-update function for backwards compability
- renamed config-dump to config-export to be in line with config-import
- converted '*'.format(*) to f-strings
- converted string-concatenation to f-strings
renamed single letter variables (m => match)
renamed classmethod arguments to cls (model)
removed shadowing of variables (hash, context)
shortened unneeded lambda functions (id)
converted type ... is to isinstance(...)
removed unneded imports (flask)
Updated ConfigManager to only modify app.config and not replace it.
Swagger does not play well, when app.config is not a real dict and
it is not necessary to keep ConfigManager around after init.
Also added "API" flag to config (default: disabled).
1693: Bump cryptography from 2.6.1 to 3.2 in /core/admin r=mergify[bot] a=dependabot[bot]
Bumps [cryptography](https://github.com/pyca/cryptography) from 2.6.1 to 3.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst">cryptography's changelog</a>.</em></p>
<blockquote>
<p>3.2 - 2020-10-25</p>
<pre><code>
* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
time, to protect against Bleichenbacher vulnerabilities. Due to limitations
imposed by our API, we cannot completely mitigate this vulnerability and a
future release will contain a new API which is designed to be resilient to
these for contexts where it is required. Credit to **Hubert Kario** for
reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
<p>.. _v3-1-1:</p>
<p>3.1.1 - 2020-09-22
</code></pre></p>
<ul>
<li>Updated Windows, macOS, and <code>manylinux</code> wheels to be compiled with
OpenSSL 1.1.1h.</li>
</ul>
<p>.. _v3-1:</p>
<p>3.1 - 2020-08-26</p>
<pre><code>
* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
:term:`U-label` parsing in various X.509 classes. This support was originally
deprecated in version 2.1 and moved to an extra in 2.5.
* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
the OpenSSL project. The next version of ``cryptography`` will drop support
for it.
* Deprecated support for Python 3.5. This version sees very little use and will
be removed in the next release.
* ``backend`` arguments to functions are no longer required and the
default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
and
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
.
* Calling ``update`` or ``update_into`` on
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
also resolves the same issue in :doc:`/fernet`.
<p>.. _v3-0:</p>
<p>3.0 - 2020-07-20
</tr></table>
</code></pre></p>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="c9e65222c9"><code>c9e6522</code></a> 3.2 release (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5508">#5508</a>)</li>
<li><a href="58494b41d6"><code>58494b4</code></a> Attempt to mitigate Bleichenbacher attacks on RSA decryption (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5507">#5507</a>)</li>
<li><a href="cf9bd6a36b"><code>cf9bd6a</code></a> move blinding to <strong>init</strong> on both RSA public and private (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5506">#5506</a>)</li>
<li><a href="bf4b962f4b"><code>bf4b962</code></a> be more verbose in the 102 deprecation notice (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5505">#5505</a>)</li>
<li><a href="ada53e7ca0"><code>ada53e7</code></a> make the regexes for branches more strict (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5504">#5504</a>)</li>
<li><a href="8be1d4b111"><code>8be1d4b</code></a> Stop using <a href="https://github.com/master">@master</a> for GH actions (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5503">#5503</a>)</li>
<li><a href="08a97cca71"><code>08a97cc</code></a> Bump actions/upload-artifact from v1 to v2.2.0 (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5502">#5502</a>)</li>
<li><a href="52a0e44e97"><code>52a0e44</code></a> Add a dependabot configuration to bump our github actions (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5501">#5501</a>)</li>
<li><a href="611c4a340f"><code>611c4a3</code></a> PKCS7SignatureBuilder now supports new option NoCerts when signing (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5500">#5500</a>)</li>
<li><a href="836a92a28f"><code>836a92a</code></a> chunking didn't actually work (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5499">#5499</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/pyca/cryptography/compare/2.6.1...3.2">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Mailu/Mailu/network/alerts).
</details>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1696: disable php version expose r=Diman0 a=ronivay
## What type of PR?
enhancement
## What does this PR do?
Disable exposing PHP-version from webmails in x-powered-by header for security reasons.
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [N/A] In case of feature or enhancement: documentation updated accordingly
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: ronivay <roni@vayrynen.info>
1684: add warning about removing front r=mergify[bot] a=lub
## What type of PR?
documentation
## What does this PR do?
### Related issue(s)
- caused confusion e.g. in #1678
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] ~~Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.~~
Co-authored-by: lub <git@lubiland.de>
1680: remove service status "feature" r=ofthesun9 a=ebdavison
Per the issue tracker, this was removed in issue Mailu#463 (Remove the Service Status page)
## What type of PR?
documentation
## What does this PR do?
remove feature for services status which no longer exists; this confused me as I was trying to find it and was not able to.
## Related issue(s)
Remove the Service Status page Mailu#463
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
N/A
Co-authored-by: ebdavison <549431+ebdavison@users.noreply.github.com>
1687: Fix letsencrypt access to certbot for the mail-letsencrypt flavour r=ofthesun9 a=ofthesun9
## What type of PR?
bug-fix
## What does this PR do?
This PR changes nginx.conf file to ensure that the flavor mail-letsencrypt is also having the redirection for .well-known/acme-challenge
### Related issue(s)
closes#1686
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: ofthesun9 <olivier@ofthesun.net>
1654: Ensure that the rendered file ends with newline in order to make `pos… r=mergify[bot] a=tremlin
## What type of PR?
Bugfix
## What does this PR do?
This fixes#1580
### Related issue(s)
- closes#1580
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
Co-authored-by: Thomas Rehn <thomas.rehn@initos.com>
1669: Fix extract_host_port port separation r=mergify[bot] a=cbachert
Regex quantifier should be lazy to make port separation work.
## What type of PR?
bug-fix
## What does this PR do?
The "extract_host_port" function in admin/mailu/internal/nginx.py and optional/fetchmail/fetchmail.py is not actually separating host and port due to the `(.*)` part of the regex being too generous. Lazy quantifier `(.*?)` allows the other capturing groups to match.
### Related issue(s)
- No issue raised for this
## Prerequistes
- [x] Documentation updated accordingly: N/A, bug-fix
- [x] Add [changelog] entry file: Added towncrier newsfragment with second commit
1672: mark radio buttons in setup utility as required r=mergify[bot] a=lub
## What type of PR?
bug-fix
## What does this PR do?
mark radio buttons in setup utility as required
Otherwise it's possible to submit the form without selecting e.g. any
flavor, which would need additional handling on the server side.
### Related issue(s)
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: cbachert <cbachert@users.noreply.github.com>
Co-authored-by: lub <git@lubiland.de>
1671: manually merge wrongly named news fragments r=mergify[bot] a=lub
see https://github.com/twisted/towncrier#news-fragments for a list of
default news fragment types
## What type of PR?
documentation
## What does this PR do?
adds the missing news fragemnts to the 1.8 changelog
### Related issue(s)
- #1653
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: lub <git@lubiland.de>
Raphaël P. Barazzutti
lub