diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 66462e18..31216497 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -3,7 +3,7 @@ # base system image (intermediate) # Note when updating the alpine tag, first manually run the workflow .github/workflows/mirror.yml. # Just run the workflow with the tag that must be synchronised. -ARG DISTRO=ghcr.io/mailu/alpine:3.21.0 +ARG DISTRO=ghcr.io/mailu/alpine:3.21.4 FROM $DISTRO as system ENV TZ=Etc/UTC LANG=C.UTF-8 diff --git a/docs/Dockerfile b/docs/Dockerfile index 08e725fc..bbb3c0b6 100644 --- a/docs/Dockerfile +++ b/docs/Dockerfile @@ -1,5 +1,5 @@ # Convert .rst files to .html in temporary build container -FROM python:3.12.3-alpine3.19 AS build +FROM python:3.13.6-alpine3.22 AS build ARG version=master ENV VERSION=$version @@ -25,7 +25,7 @@ RUN set -euxo pipefail \ # Build nginx deployment image including generated html -FROM nginx:1.25.5-alpine +FROM nginx:1.29.0-alpine ARG version=master ARG pinned_version=master diff --git a/towncrier/newsfragments/3889.misc b/towncrier/newsfragments/3889.misc new file mode 100644 index 00000000..0cb0733d --- /dev/null +++ b/towncrier/newsfragments/3889.misc @@ -0,0 +1 @@ +Upgrade the following: Alpine: 3.21.4, Roundcube: 1.6.11, Carddav: 5.1.1, docs infra, snufflepagus rules diff --git a/webmails/Dockerfile b/webmails/Dockerfile index fb3df84b..9e47af0e 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -29,7 +29,7 @@ RUN set -euxo pipefail \ # roundcube ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.11/roundcubemail-1.6.11-complete.tar.gz -ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.0/carddav-v5.1.0.tar.gz +ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.1/carddav-v5.1.1.tar.gz RUN set -euxo pipefail \ ; cd /var/www \ diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index ba6947e8..90601207 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -42,35 +42,38 @@ sp.disable_function.function("chmod").param("permissions").value("511").drop(); # Prevent various `mail`-related vulnerabilities # Uncommend the second rule if you're using php8.3+ +@condition PHP_VERSION_ID < 80300; sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); +@condition PHP_VERSION_ID >= 80300; sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); +@end_condition; # Since it's now burned, me might as well mitigate it publicly -sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() -sp.disable_function.function("putenv").param("assignment").value("PATH").drop() +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop(); +sp.disable_function.function("putenv").param("assignment").value("PATH").drop(); # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 -sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop(); # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector -sp.disable_function.function("extract").param("array").value_r("^_").drop() -sp.disable_function.function("extract").param("flags").value("0").drop() +sp.disable_function.function("extract").param("array").value_r("^_").drop(); +sp.disable_function.function("extract").param("flags").value("0").drop(); # See https://dustri.org/b/ini_set-based-open_basedir-bypass.html # Since we have no way of matching on two parameters at the same time, we're # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. # Moreover, there are non-public bypasses that are also using this vector ;) -sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop(); # Prevent various `include`-related vulnerabilities sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("require_once").drop() -sp.disable_function.function("include_once").drop() -sp.disable_function.function("require").drop() -sp.disable_function.function("include").drop() +sp.disable_function.function("require_once").drop(); +sp.disable_function.function("include_once").drop(); +sp.disable_function.function("require").drop(); +sp.disable_function.function("include").drop(); # Prevent `system`-related injections sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); @@ -129,11 +132,22 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop() # File upload sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); # Logging lockdown -sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop(); sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename_r("/var/www/snappymail/snappymail/v/[0-9]+\.[0-9]+\.[0-9]+/app/libraries/snappymail/shutdown.php").allow(); -sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); + +# Classic webshells patterns +sp.disable_function.function("system>base64_decode").drop(); +sp.disable_function.function("shell_exec>base64_decode").drop(); +sp.disable_function.function("exec>base64_decode").drop(); +sp.disable_function.function("passthru>base64_decode").drop(); +sp.disable_function.function("proc_open>base64_decode").drop(); +# TODO: enable this for real +sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation(); sp.auto_cookie_secure.enable(); # TODO: consider encrypting the cookies?