From 61de34f5c560f40f3bfc4ff69e50a054d1afd932 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 13 Aug 2025 09:31:21 +0200 Subject: [PATCH 1/5] Fix CI by upgrading --- docs/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Dockerfile b/docs/Dockerfile index 08e725fc..bbb3c0b6 100644 --- a/docs/Dockerfile +++ b/docs/Dockerfile @@ -1,5 +1,5 @@ # Convert .rst files to .html in temporary build container -FROM python:3.12.3-alpine3.19 AS build +FROM python:3.13.6-alpine3.22 AS build ARG version=master ENV VERSION=$version @@ -25,7 +25,7 @@ RUN set -euxo pipefail \ # Build nginx deployment image including generated html -FROM nginx:1.25.5-alpine +FROM nginx:1.29.0-alpine ARG version=master ARG pinned_version=master From 880312db30ce61eaf64fb7b95c8b3b7cc299ad84 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 13 Aug 2025 09:38:53 +0200 Subject: [PATCH 2/5] roundcube 1.6.11 and carddav 5.1.1 --- webmails/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webmails/Dockerfile b/webmails/Dockerfile index 95d4a374..9e47af0e 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -28,8 +28,8 @@ RUN set -euxo pipefail \ ; mkdir -p /run/nginx /conf # roundcube -ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.9/roundcubemail-1.6.9-complete.tar.gz -ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.0/carddav-v5.1.0.tar.gz +ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.11/roundcubemail-1.6.11-complete.tar.gz +ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.1/carddav-v5.1.1.tar.gz RUN set -euxo pipefail \ ; cd /var/www \ From c72fa20e417b63506c6f0ad3a48db605934a00d1 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 13 Aug 2025 09:40:01 +0200 Subject: [PATCH 3/5] alpine 3.21.4 --- core/base/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 892faa9b..842fd89b 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -3,7 +3,7 @@ # base system image (intermediate) # Note when updating the alpine tag, first manually run the workflow .github/workflows/mirror.yml. # Just run the workflow with the tag that must be synchronised. -ARG DISTRO=ghcr.io/mailu/alpine:3.21.0 +ARG DISTRO=ghcr.io/mailu/alpine:3.21.4 FROM $DISTRO as system ENV TZ=Etc/UTC LANG=C.UTF-8 From 241d3cb6dd872114ab782d4baa9989bd6257bdac Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 13 Aug 2025 09:50:09 +0200 Subject: [PATCH 4/5] Add snuffleupagus rules from upstream --- webmails/snuffleupagus.rules | 38 ++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules index ba6947e8..90601207 100644 --- a/webmails/snuffleupagus.rules +++ b/webmails/snuffleupagus.rules @@ -42,35 +42,38 @@ sp.disable_function.function("chmod").param("permissions").value("511").drop(); # Prevent various `mail`-related vulnerabilities # Uncommend the second rule if you're using php8.3+ +@condition PHP_VERSION_ID < 80300; sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); +@condition PHP_VERSION_ID >= 80300; sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); +@end_condition; # Since it's now burned, me might as well mitigate it publicly -sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() -sp.disable_function.function("putenv").param("assignment").value("PATH").drop() +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop(); +sp.disable_function.function("putenv").param("assignment").value("PATH").drop(); # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 -sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop(); # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector -sp.disable_function.function("extract").param("array").value_r("^_").drop() -sp.disable_function.function("extract").param("flags").value("0").drop() +sp.disable_function.function("extract").param("array").value_r("^_").drop(); +sp.disable_function.function("extract").param("flags").value("0").drop(); # See https://dustri.org/b/ini_set-based-open_basedir-bypass.html # Since we have no way of matching on two parameters at the same time, we're # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. # Moreover, there are non-public bypasses that are also using this vector ;) -sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop(); # Prevent various `include`-related vulnerabilities sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); -sp.disable_function.function("require_once").drop() -sp.disable_function.function("include_once").drop() -sp.disable_function.function("require").drop() -sp.disable_function.function("include").drop() +sp.disable_function.function("require_once").drop(); +sp.disable_function.function("include_once").drop(); +sp.disable_function.function("require").drop(); +sp.disable_function.function("include").drop(); # Prevent `system`-related injections sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); @@ -129,11 +132,22 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop() # File upload sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); # Logging lockdown -sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop(); sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename_r("/var/www/snappymail/snappymail/v/[0-9]+\.[0-9]+\.[0-9]+/app/libraries/snappymail/shutdown.php").allow(); -sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); + +# Classic webshells patterns +sp.disable_function.function("system>base64_decode").drop(); +sp.disable_function.function("shell_exec>base64_decode").drop(); +sp.disable_function.function("exec>base64_decode").drop(); +sp.disable_function.function("passthru>base64_decode").drop(); +sp.disable_function.function("proc_open>base64_decode").drop(); +# TODO: enable this for real +sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation(); sp.auto_cookie_secure.enable(); # TODO: consider encrypting the cookies? From 9131a5a8c2f34b04566c460b8e9e0e7d319133e1 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 13 Aug 2025 09:54:15 +0200 Subject: [PATCH 5/5] towncrier --- towncrier/newsfragments/3889.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/3889.misc diff --git a/towncrier/newsfragments/3889.misc b/towncrier/newsfragments/3889.misc new file mode 100644 index 00000000..0cb0733d --- /dev/null +++ b/towncrier/newsfragments/3889.misc @@ -0,0 +1 @@ +Upgrade the following: Alpine: 3.21.4, Roundcube: 1.6.11, Carddav: 5.1.1, docs infra, snufflepagus rules