1

Topic: 2 security fixes -- Roundcube and iRedMail (MySQL) backup script

Dear all,

There’re 2 security fixes you need to follow immediately:

*) Roundcube webmail 1.2.4 (and 1.1.8) has been released on March 10, 2017. Including a fix for a recently reported security XSS issue with CSS styles inside an SVG tag.

Please upgrade Roundcube as soon as possible to fix it.

*) Possible backdooring mysqldump backups.

Quote from: https://blog.tarq.io/cve-2016-5483-back … p-backups/

mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported.

If you're running iRedMail with one of OpenLDAP, ldapd (OpenBSD only), MySQL, MariaDB backends, please follow steps below to fix it:

- Open the daily MySQL backup script, it's /var/vmail/backup/backup_mysql.sh by default. if you use different storage directory during iRedMail installation, you can find the base directory with command "postconf virtual_mailbox_base”.

- Find variable name CMD_MYSQLDUMP like below:

export CMD_MYSQLDUMP="mysqldump ..."

- Make sure it has argument "--skip-comments" like below:

export CMD_MYSQLDUMP="mysqldump ... --skip-comments"

- Save the change.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: 2 security fixes -- Roundcube and iRedMail (MySQL) backup script

The entry in my installation does not contain the ellipsis (three dots).

export CMD_MYSQLDUMP='mysqldump'

Should I then change it to

export CMD_MYSQLDUMP='mysqldump --skip-comments'

3

Re: 2 security fixes -- Roundcube and iRedMail (MySQL) backup script

Usually the three dots just means "we omit some possible strings in this place". So if it doesn't contain anything, just add the new one.