Baruwa 2.0.1 Security release issued

April 21, 2013 at 10:00 AM | categories: Baruwa, Baruwa 2.0, Releases

Today we are issuing release -- Baruwa 2.0.1 to remedy a security issue reported to us. This release also contains a range of bug fixes to both the Community and Enterprise Editions. This release does NOT introduce any backward incompatible changes.

Users of Baruwa 2.0 are encouraged to upgrade immediately.

Summary

This security release fixes one issue: an information leakage issue.

Here's a brief summary of the issue and its resolution:

  • Issue: Data leakage via domain admin edit and delete user pages:

For more details, read on.

Notes

In order to provide a value proposition for our Enterprise Edition clients we have decided to split the Enterprise and Community Editions. The Enterprise Edition will now contain advanced features for clustered and large scale environments not available in the Community Edition.

The focus of the Community Edition will now be running on single servers, multi node features will gradually be removed from the community edition.

This is the initial release where this distinct feature set will become evident.

Issue: Data leakage via domain admin edit and delete user pages:

Baruwa's admin interface could expose supposedly-hidden information via its user edit and user delete pages. This has been fixed.

Baruwa's administrative interface allows domain admins to edit and delete users in domains that they manage. The user edit and user delete pages do not filter the drop down list of domains to only show domains the domain admin is allowed to manage; as such domain admins are able to view domains that belong to other users.

To remedy this, the user edit page will now filter the domains drop down to only domains the domain admin manages and the user delete page will no longer display a domains drop down list.

Resolution

Patches have been applied to Baruwa's 2.0 master development branch, which resolve the issue described above. The patches may be obtained directly from the following changeset.

The following new Community Edition release has been issued:

Updated Enterprise Edition packages are available from the Enterprise repository. Users of the Enterprise Edition should refer to the upgrading and changelog sections of the documentation and then use their package manager to upgrade.

Credits

The admin information leakage issue was reported by Network Technologies Queensland.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@baruwa.com, and NOT via Baruwa's issue tracking system or the mailing lists.

Bug fixes

The bug fixes below are a combination of the fixes to the Community and Enterprise Editions.

  • Fixed domains information leak when logged in as domain admin. Domain admins were able to see domains belonging to other users in the drop down menu under edit or delete accounts.
  • Added support for theming and customization. Included are support for Interface, email, reports customization as well as productization with a custom name.
  • Added support for shared quarantines on shared storage which allows messages to be accessed even when the node that processed them is offline.
  • Implemented full cluster functionality for all components
  • Improvements to Active Directory / LDAP including support for address verification of alias domain accounts, import of aliases from LDAP servers that use the mail attribute such as OpenLDAP, fix case sensitivity issue with Active Directory servers.
  • Fixed MailScanner SQL config keyword issue.
  • Fixed duplicates of account listings when user belonged to more than one domain
  • Fixed various issues that caused quarantine reports not to be sent to some user accounts.
  • Fixed auto user logout when they delete their account.
  • Improve the predicate matching system for authorization of actions.
  • Fixed previewing of embedded images in emails.
  • Fixed the searching of archives which did not display the actual messages found.
  • Fixed signature processing on the nodes after configuration in the interface.
  • Added experimental PDF reporting command with theme support
  • Added experimental Quarantine reporting command with theme support
  • Fix to various cronjobs like the ones pruning database tables.
  • Disabled NJABL
  • Updated translations