Smart Open Source Digital Workplace
OpenPaaS 1.6 – Etamin
This is the release notes of the version 1.6 of OpenPaaS, codenamed Etamin. The team has worked a lot on infrastructure and deployment, thus there is not a big batch of features. However, the team fixed numerous bugs in response to users feedback.
Bugfix releases
- infinite-scrolling of quarantine email list is broken (linagora.esn.unifiedinbox.james#19)
- System prompts message telling that attendee is busy when user adds resource to event even though the resource is free (linagora.esn.calendar#1718)
- check user permissions before granting an API token to interact with the James server (linagora.esn.james#28)
- CalDAV > Unable to synchronize data updates from Client (Outlook/ Thunderbird/DAVx5) to Server (linagora.esn.calendar#1728)
- cannot load/update domain quota (linagora.esn.james#29)
- [Data Leak Protection] Correct the response when get an unknown rule Id (linagora.esn.james#32)
Install and test
To install and test this version, you need git as well as docker on a Linux system. The:
git clone https://github.com/linagora/openpaas-esn.git cd openpaas-esn git checkout 1.6.1 PROVISION=true docker-compose up
Download
The three Docker artefacts composing the release are:
james-project:openpaas-1.6.0 – https://hub.docker.com/layers/linagora/james-project/openpaas-1.6.0/images/sha256-33bb00e10631023355f56680e4d57f924f00104275054113e4071e7e433cd83c
esn-sabre:1.6.1 – https://hub.docker.com/layers/linagora/esn-sabre/1.6.1/images/sha256-16ee5e653831a6dfd84cb85b195b4e324f4d59ebe95c30b9002b556119ca30cd
1.6.0 Changelog
Platform components update
The OpenPaaS components now relies on RaabitMQ version 3.8.
The Summer libraries update ran this year again, and OpenPaaS Node server has updated dependencies, like for example Socket.io.
Addressbook
• Domain members addressbook
The members of an OpenPaaS domain are now exposed as a CardDAV addressbook. This allows the users to have the list of members synchronized on their mobile devices and desktop clients.
Platform
• People resolver API
There is now a clean and efficient Rest API to search for everything related to People objects: users, contacts, resources and groups. This API is used in the OpenPaaS web frontend.
• Domain aliases
The platform administrator can manage the email aliases of its domain.
• ElasticSearch optimizations
The email search has been improved by a better indexing of email and attachments inside the ElasticSearch server.
Security check
We ran the software against the OWASP Zap Zed Attack Proxy software. You can find here the attack report. Below are the development team comments regarding the High and Medium vulnerabilities.
High (Medium) – SQL Injection
This is a false positive. Our calendaring and addressbook engine does not use an SQL backend. However, this test highlighted a lack of type validation in user input, having the side effect of the server answering a 500 error instead of a 400 error in case of malicious forged queries. We opened an issue on our internal issue tracker to enforce type check on incoming parameters.
High (Medium) – Path Traversal
This is a false positive. Our Calendar and ADdressbook engine respects the WebDAV based protocol, which is a filesystem representation. User navigation inside is filesystem is enforced by ACLs.
Medium (High) – Session ID in URL Rewrite
This is a false positive. Our frontend uses Socket.io to ensure websocket communication with the server. Socket.io has its implementation of session for progressive enhancement of the connection, from short polling to websocket. There is not, to our knowledge, a vulnerability opened on Socket.io website regarding a vulnerability linked to its token system. Moreover, we upgraded our Socket.io version durint the summer libraries updates sprint.
Medium (Medium) – X-Frame-Options Header Not Set
This is a positive alert. We opened an issue in our internal issue tracker to add this header in our deployment manifests.
Medium (Medium) – CSP Scanner: Wildcard Directive
This is a positive alert. We opened an issue in our internal issue tracker to add the correct Content-Security-Policy header in our deployment manifests.
Medium (Medium) – Format String Error
This is a false positive. However, this test highlighted a lack of type validation in user input, having the side effect of the server answering a 500 error instead of a 400 error in case of malicious forged queries. We opened an issue on our internal issue tracker to enforce type check on incoming parameters.
Medium (Low) – Directory Browsing
This is a false positive. All the data below the “/generated” path is generated by code and does not reflect of any filesystem on the underlying server. This is how the system sends concatenated JavaScript files to the frontend.
Install and test
To install and test OpenPaaS, you need git as well as docker on a Linux system. The:
git clone https://github.com/linagora/openpaas-esn.git cd openpaas-esn git checkout 1.6.0 PROVISION=true docker-compose up
Download
The three Docker artefacts composing the release are:
- james-project:openpaas-1.6.0 – https://hub.docker.com/layers/linagora/james-project/openpaas-1.6.0/images/sha256-33bb00e10631023355f56680e4d57f924f00104275054113e4071e7e433cd83c
- esn-sabre:1.6.0 – https://hub.docker.com/layers/linagora/esn-sabre/1.6.0/images/sha256-ed8b5f3e70638d1c7bb45672440ab6e42e947afaae06dad07296bcb78711e88e
- esn:1.6.0 – https://hub.docker.com/layers/linagora/esn/1.6.0/images/sha256-ee83cb0d653154060c12a12052cd7d9558a6f3c9f73020b53faefe6495426e44
