Hello community, here is the log from the commit of package froxlor for openSUSE:Factory checked in at 2015-08-10 09:16:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/froxlor (Old) and /work/SRC/openSUSE:Factory/.froxlor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "froxlor" Changes: -------- --- /work/SRC/openSUSE:Factory/froxlor/froxlor.changes 2015-04-13 20:31:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.froxlor.new/froxlor.changes 2015-08-10 09:16:21.000000000 +0200 @@ -1,0 +2,12 @@ +Fri Jul 31 11:39:26 CEST 2015 - [email protected] + +- upstream upgrade to version 0.9.33.2 (bnc#846355) + security issue in the database logging system + +------------------------------------------------------------------- +Tue Apr 14 12:09:08 CEST 2015 - [email protected] + +- update and typo fix in documentation template suse_linux_1x_x +- update Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. + +------------------------------------------------------------------- Old: ---- froxlor-0.9.33.1.tar.bz2 New: ---- froxlor-0.9.33.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ froxlor.spec ++++++ --- /var/tmp/diff_new_pack.5wMgGk/_old 2015-08-10 09:16:22.000000000 +0200 +++ /var/tmp/diff_new_pack.5wMgGk/_new 2015-08-10 09:16:22.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package froxlor # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define apache_serverroot /srv/www/htdocs Name: froxlor -Version: 0.9.33.1 +Version: 0.9.33.2 Release: 0 Source0: froxlor-%{version}.tar.bz2 Source1: froxlor.suse.adapt.template.config.tar.bz2 @@ -46,9 +46,9 @@ Requires: mysql Requires: php5 Requires: php5-bcmath +Requires: php5-curl Requires: php5-mysql Requires: php5-posix -Requires: php5-curl Requires: postfix Requires: postfix-mysql Requires: pure-ftpd ++++++ froxlor-0.9.33.1.tar.bz2 -> froxlor-0.9.33.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/install/froxlor.sql new/froxlor/install/froxlor.sql --- old/froxlor/install/froxlor.sql 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/install/froxlor.sql 2015-07-29 16:41:55.000000000 +0200 @@ -538,7 +538,7 @@ ('panel', 'password_numeric', '0'), ('panel', 'password_special_char_required', '0'), ('panel', 'password_special_char', '!?<>ยง$%+#=@'), - ('panel', 'version', '0.9.33.1'); + ('panel', 'version', '0.9.33.2'); DROP TABLE IF EXISTS `panel_tasks`; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/install/updates/froxlor/0.9/update_0.9.inc.php new/froxlor/install/updates/froxlor/0.9/update_0.9.inc.php --- old/froxlor/install/updates/froxlor/0.9/update_0.9.inc.php 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/install/updates/froxlor/0.9/update_0.9.inc.php 2015-07-29 16:41:55.000000000 +0200 @@ -2900,3 +2900,11 @@ updateToVersion('0.9.33.1'); } + +if (isFroxlorVersion('0.9.33.1')) { + + showUpdateStep("Updating from 0.9.33.1 to 0.9.33.2"); + lastStepStatus(0); + updateToVersion('0.9.33.2'); + +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/lib/classes/database/class.Database.php new/froxlor/lib/classes/database/class.Database.php --- old/froxlor/lib/classes/database/class.Database.php 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/lib/classes/database/class.Database.php 2015-07-29 16:41:55.000000000 +0200 @@ -224,7 +224,7 @@ && isset($sql['root_password']) && (!isset($sql_root) || !is_array($sql_root)) ) { - $sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'user' => $sql['root_user'], 'password' => $sql['root_password'])); + $sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'socket' => (isset($sql['socket']) ? $sql['socket'] : null), 'user' => $sql['root_user'], 'password' => $sql['root_password'])); unset($sql['root_user']); unset($sql['root_password']); } @@ -235,11 +235,15 @@ $user = $sql_root[self::$_dbserver]['user']; $password = $sql_root[self::$_dbserver]['password']; $host = $sql_root[self::$_dbserver]['host']; + $socket = isset($sql_root[self::$_dbserver]['socket']) ? $sql_root[self::$_dbserver]['socket'] : null; + $port = isset($sql_root[self::$_dbserver]['port']) ? $sql_root[self::$_dbserver]['port'] : '3306'; } else { $caption = 'localhost'; $user = $sql["user"]; $password = $sql["password"]; $host = $sql["host"]; + $socket = isset($sql['socket']) ? $sql['socket'] : null; + $port = isset($sql['port']) ? $sql['port'] : '3306'; } // save sql-access-data if needed @@ -248,6 +252,8 @@ 'user' => $user, 'passwd' => $password, 'host' => $host, + 'port' => $port, + 'socket' => $socket, 'db' => $sql["db"], 'caption' => $caption ); @@ -264,10 +270,11 @@ 'charset' => 'utf8' ); - if (!validateLocalHostname($host) && !validate_ip2($host, true, 'invalidip', true, true)) { - $dbconf["dsn"]['unix_socket'] = makeCorrectFile($host); + if ($socket != null) { + $dbconf["dsn"]['unix_socket'] = makeCorrectFile($socket); } else { $dbconf["dsn"]['host'] = $host; + $dbconf["dsn"]['port'] = $port; } self::$_dbname = $sql["db"]; @@ -305,6 +312,32 @@ private static function _showerror($error, $showerror = true) { global $userinfo, $theme, $linker; + // include userdata.inc.php + require FROXLOR_INSTALL_DIR."/lib/userdata.inc.php"; + + // le format + if (isset($sql['root_user']) + && isset($sql['root_password']) + && (!isset($sql_root) || !is_array($sql_root)) + ) { + $sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'socket' => (isset($sql['socket']) ? $sql['socket'] : null), 'user' => $sql['root_user'], 'password' => $sql['root_password'])); + } + + // hide username/password in messages + $error_message = $error->getMessage(); + $error_trace = $error->getTraceAsString(); + // error-message + $error_message = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_message); + $error_message = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_message); + // error-trace + $error_trace = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_trace); + $error_trace = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_trace); + + if ($error->getCode() == 2003) { + $error_message = "Unable to connect to database. Either the mysql-server is not running or your user/password is wrong."; + $error_trace = ""; + } + /** * log to a file, so we can actually ask people for the error * (no one seems to find the stuff in the syslog) @@ -313,11 +346,10 @@ if (!file_exists($sl_dir)) { @mkdir($sl_dir, 0755); } - $sl_file = makeCorrectFile($sl_dir."/sql-error.log"); - $sqllog = @fopen($sl_file, 'a'); - @fwrite($sqllog, date('d.m.Y H:i', time())." --- ".str_replace("\n", " ", $error->getMessage())."\n"); - @fwrite($sqllog, date('d.m.Y H:i', time())." --- DEBUG: \n".$error->getTraceAsString()."\n"); - @fclose($sqllog); + openlog("froxlor", LOG_PID | LOG_PERROR, LOG_LOCAL0); + syslog(LOG_WARNING, str_replace("\n", " ", $error_message)); + syslog(LOG_WARNING, str_replace("\n", " ", "--- DEBUG: ".$error_trace)); + closelog(); /** * log error for reporting @@ -326,38 +358,17 @@ $err_file = makeCorrectFile($sl_dir."/".$errid."_sql-error.log"); $errlog = @fopen($err_file, 'w'); @fwrite($errlog, "|CODE ".$error->getCode()."\n"); - @fwrite($errlog, "|MSG ".$error->getMessage()."\n"); + @fwrite($errlog, "|MSG ".$error_message."\n"); @fwrite($errlog, "|FILE ".$error->getFile()."\n"); @fwrite($errlog, "|LINE ".$error->getLine()."\n"); - @fwrite($errlog, "|TRACE\n".$error->getTraceAsString()."\n"); + @fwrite($errlog, "|TRACE\n".$error_trace."\n"); @fclose($errlog); if ($showerror) { - // include userdata.inc.php - require FROXLOR_INSTALL_DIR."/lib/userdata.inc.php"; - // fallback $theme = 'Sparkle'; - // le format - if (isset($sql['root_user']) - && isset($sql['root_password']) - && (!isset($sql_root) || !is_array($sql_root)) - ) { - $sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'user' => $sql['root_user'], 'password' => $sql['root_password'])); - } - - // hide username/password in messages - $error_message = $error->getMessage(); - $error_trace = $error->getTraceAsString(); - // error-message - $error_message = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_message); - $error_message = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_message); - // error-trace - $error_trace = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_trace); - $error_trace = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_trace); - // clean up sensitive data unset($sql); unset($sql_root); @@ -388,7 +399,8 @@ die($err_hint); } } - die("We are sorry, but a MySQL - error occurred. The administrator may find more information in in the sql-error.log in the logs/ directory"); + die("We are sorry, but a MySQL - error occurred. The administrator may find more information in the syslog"); } } } + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/lib/tables.inc.php new/froxlor/lib/tables.inc.php --- old/froxlor/lib/tables.inc.php 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/lib/tables.inc.php 2015-07-29 16:41:55.000000000 +0200 @@ -51,6 +51,6 @@ define('TABLE_DOMAINTOIP', 'panel_domaintoip'); // VERSION INFO -$version = '0.9.33.1'; +$version = '0.9.33.2'; $dbversion = '2'; $branding = ''; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/scripts/froxlor_master_cronjob.php new/froxlor/scripts/froxlor_master_cronjob.php --- old/froxlor/scripts/froxlor_master_cronjob.php 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/scripts/froxlor_master_cronjob.php 2015-07-29 16:41:55.000000000 +0200 @@ -47,6 +47,8 @@ // really force re-generating of config-files by // inserting task 1 inserttask('1'); + // bind (if enabled, inserttask() checks this) + inserttask('4'); // also regenerate cron.d-file inserttask('99'); addToQueue($jobs_to_run, $crontasks); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php new/froxlor/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php --- old/froxlor/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php 2015-07-29 16:41:55.000000000 +0200 @@ -58,7 +58,12 @@ $php_options_text.= ' </FilesMatch>' . "\n"; // >=apache-2.4 enabled? if (Settings::Get('system.apache24') == '1') { - $php_options_text.= ' Require all granted' . "\n"; + $mypath_dir = new frxDirectory($domain['documentroot']); + // only create the require all granted if there is not active directory-protection + // for this path, as this would be the first require and therefore grant all access + if ($mypath_dir->isUserProtected() == false) { + $php_options_text.= ' Require all granted' . "\n"; + } } else { $php_options_text.= ' Order allow,deny' . "\n"; $php_options_text.= ' allow from all' . "\n"; @@ -90,7 +95,12 @@ $php_options_text.= ' </FilesMatch>' . "\n"; // >=apache-2.4 enabled? if (Settings::Get('system.apache24') == '1') { - $php_options_text.= ' Require all granted' . "\n"; + $mypath_dir = new frxDirectory($domain['documentroot']); + // only create the require all granted if there is not active directory-protection + // for this path, as this would be the first require and therefore grant all access + if ($mypath_dir->isUserProtected() == false) { + $php_options_text.= ' Require all granted' . "\n"; + } } else { $php_options_text.= ' Order allow,deny' . "\n"; $php_options_text.= ' allow from all' . "\n"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/templates/Sparkle/webftp/webftp_navigation_element.tpl new/froxlor/templates/Sparkle/webftp/webftp_navigation_element.tpl --- old/froxlor/templates/Sparkle/webftp/webftp_navigation_element.tpl 1970-01-01 01:00:00.000000000 +0100 +++ new/froxlor/templates/Sparkle/webftp/webftp_navigation_element.tpl 2015-07-29 16:41:55.000000000 +0200 @@ -0,0 +1,13 @@ +<div class="menuelement"> + <h4> + {if $navurl != '#'} + <a href="{$navurl}" {$target} class="menu">{$navlabel}</a> + {else} + {$navlabel} + {/if} + </h4> + <ul> + {$navigation_links} + </ul> +</div> + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_10-master.conf new/froxlor/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_10-master.conf --- old/froxlor/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_10-master.conf 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/templates/misc/configfiles/debian_wheezy/dovecot/etc_dovecot_conf.d_10-master.conf 2015-07-29 16:41:55.000000000 +0200 @@ -102,6 +102,7 @@ unix_listener auth-client { mode = 0660 user = mail + group = Debian-exim } # Auth process is run as this user. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/froxlor/webftp.php new/froxlor/webftp.php --- old/froxlor/webftp.php 2015-02-16 08:50:49.000000000 +0100 +++ new/froxlor/webftp.php 2015-07-29 16:41:55.000000000 +0200 @@ -664,15 +664,24 @@ $body .= $smarty->fetch('webftp/webftp_main_multiple.tpl'); } } - $smarty->assign('completeLink', '<a href="webftp.php?logoff=true">' . _('Logout') . '</a>'); - $navlinks = $smarty->fetch('navigation_link.tpl'); - $smarty->assign('completeLink', '<a href="webftp.php?webftp.php?action=mode&mode=FTP_BINARY&currentDir=' . $currentDir . '">' . _('Switch to BINARY mode') . '</a>'); - $navlinks .= $smarty->fetch('navigation_link.tpl'); - $smarty->assign('completeLink', '<a href="webftp.php?webftp.php?action=mode&mode=FTP_ASCII&currentDir=' . $currentDir . '">' . _('Switch to ASCII mode') . '</a>'); - $navlinks .= $smarty->fetch('navigation_link.tpl'); - $smarty->assign('completeLink', _('Main')); - $smarty->assign('navigation_links', $navlinks); - $smarty->assign('navigation', $smarty->fetch('navigation_element.tpl')); + + $smarty->assign('target', ''); + $smarty->assign('active', ''); + + $smarty->assign('navurl', 'webftp.php?logoff=true'); + $smarty->assign('navlabel', _('Logout')); + $navlinks = $smarty->fetch('navigation_link.tpl'); + $smarty->assign('navurl', 'webftp.php?webftp.php?action=mode&mode=FTP_BINARY&currentDir=' . $currentDir); + $smarty->assign('navlabel', _('Switch to BINARY mode')); + $navlinks .= $smarty->fetch('navigation_link.tpl'); + $smarty->assign('navurl', 'webftp.php?webftp.php?action=mode&mode=FTP_ASCII&currentDir=' . $currentDir); + $smarty->assign('navlabel', _('Switch to ASCII mode')); + $navlinks .= $smarty->fetch('navigation_link.tpl'); + $smarty->assign('navlabel', _('Main')); + $smarty->assign('navurl', "#"); + $smarty->assign('navigation_links', $navlinks); + $smarty->assign('navigation', $smarty->fetch('webftp/webftp_navigation_element.tpl')); + } else { $smarty->assign('errormessage', _('Login failed, please try again') . "\n"); ++++++ froxlor.sql.patch ++++++ --- /var/tmp/diff_new_pack.5wMgGk/_old 2015-08-10 09:16:23.000000000 +0200 +++ /var/tmp/diff_new_pack.5wMgGk/_new 2015-08-10 09:16:23.000000000 +0200 @@ -0,0 +1,72 @@ +--- install/froxlor.sql.orig 2015-07-31 11:42:46.392044106 +0200 ++++ install/froxlor.sql 2015-07-31 11:55:10.560795135 +0200 +@@ -1,3 +1,15 @@ ++# change path from /var to /srv ++# webspaces: /srv/customers/webs ++# logs: /srv/customers/logs/ ++# mails: /srv/customers/mail/ ++# tmp: /srv/customers/tmp ++# cgi: /srv/www/cgi-bin/ ++# fcgi: /srv/www/php-fcgi-scripts ++# backup: /srv/customers/backups/ ++# doc documentroot_prefix /srv/customers/webs/ ++# asemen 20150731 ++ ++ + DROP TABLE IF EXISTS `ftp_groups`; + CREATE TABLE `ftp_groups` ( + `id` int(20) NOT NULL auto_increment, +@@ -385,7 +397,7 @@ + ('customredirect', 'enabled', '1'), + ('customredirect', 'default', '1'), + ('perl', 'suexecworkaround', '0'), +- ('perl', 'suexecpath', '/var/www/cgi-bin/'), ++ ('perl', 'suexecpath', '/srv/www/cgi-bin/'), + ('login', 'domain_login', '0'), + ('login', 'maxloginattempts', '3'), + ('login', 'deactivatetime', '900'), +@@ -398,13 +410,13 @@ + ('phpfpm', 'min_spare_servers', '5'), + ('phpfpm', 'max_spare_servers', '35'), + ('phpfpm', 'max_requests', '0'), +- ('phpfpm', 'tmpdir', '/var/customers/tmp/'), ++ ('phpfpm', 'tmpdir', '/srv/customers/tmp/'), + ('phpfpm', 'peardir', '/usr/share/php/:/usr/share/php5/'), + ('phpfpm', 'enabled_ownvhost', '0'), + ('phpfpm', 'vhost_httpuser', 'froxlorlocal'), + ('phpfpm', 'vhost_httpgroup', 'froxlorlocal'), + ('phpfpm', 'idle_timeout', '30'), +- ('phpfpm', 'aliasconfigdir', '/var/www/php-fpm/'), ++ ('phpfpm', 'aliasconfigdir', '/srv/www/php-fpm/'), + ('phpfpm', 'defaultini', '1'), + ('phpfpm', 'vhost_defaultini', '2'), + ('phpfpm', 'fastcgi_ipcdir', '/var/lib/apache2/fastcgi/'), +@@ -412,14 +424,14 @@ + ('nginx', 'fastcgiparams', '/etc/nginx/fastcgi_params'), + ('system', 'lastaccountnumber', '0'), + ('system', 'lastguid', '9999'), +- ('system', 'documentroot_prefix', '/var/customers/webs/'), +- ('system', 'logfiles_directory', '/var/customers/logs/'), ++ ('system', 'documentroot_prefix', '/srv/customers/webs/'), ++ ('system', 'logfiles_directory', '/srv/customers/logs/'), + ('system', 'ipaddress', 'SERVERIP'), + ('system', 'apachereload_command', '/etc/init.d/apache2 reload'), + ('system', 'last_traffic_run', '000000'), + ('system', 'vmail_uid', '2000'), + ('system', 'vmail_gid', '2000'), +- ('system', 'vmail_homedir', '/var/customers/mail/'), ++ ('system', 'vmail_homedir', '/srv/customers/mail/'), + ('system', 'vmail_maildirname', 'Maildir'), + ('system', 'bind_enable', '1'), + ('system', 'bindconf_directory', '/etc/bind/'), +@@ -440,8 +452,8 @@ + ('system', 'apacheconf_htpasswddir', '/etc/apache2/htpasswd/'), + ('system', 'webalizer_quiet', '2'), + ('system', 'last_archive_run', '000000'), +- ('system', 'mod_fcgid_configdir', '/var/www/php-fcgi-scripts'), +- ('system', 'mod_fcgid_tmpdir', '/var/customers/tmp'), ++ ('system', 'mod_fcgid_configdir', '/srv/www/php-fcgi-scripts'), ++ ('system', 'mod_fcgid_tmpdir', '/srv/customers/tmp'), + ('system', 'ssl_cert_file', '/etc/apache2/apache2.pem'), + ('system', 'use_ssl', '0'), + ('system', 'default_vhostconf', ''), ++++++ froxlor.suse.adapt.template.config.tar.bz2 ++++++ ++++ 2305 lines of diff (skipped)
