OpenPaaS 1.6 – Etamin

This is the release notes of the version 1.6 of OpenPaaS, codenamed Etamin. The team has worked a lot on infrastructure and deployment, thus there is not a big batch of features. However, the team fixed numerous bugs in response to users feedback.

Bugfix releases

1.6.1 – 2019/01/10

  • infinite-scrolling of quarantine email list is broken (linagora.esn.unifiedinbox.james#19)
  • System prompts message telling that attendee is busy when user adds resource to event even though the resource is free (linagora.esn.calendar#1718)
  • check user permissions before granting an API token to interact with the James server (linagora.esn.james#28)
  • CalDAV > Unable to synchronize data updates from Client (Outlook/ Thunderbird/DAVx5) to Server (linagora.esn.calendar#1728)
  • cannot load/update domain quota (linagora.esn.james#29)
  • [Data Leak Protection] Correct the response when get an unknown rule Id  (linagora.esn.james#32)

Install and test

To install and test this version, you need git as well as docker on a Linux system. The:

git clone https://github.com/linagora/openpaas-esn.git
cd openpaas-esn
git checkout 1.6.1
PROVISION=true docker-compose up

Download

The three Docker artefacts composing the release are:

james-project:openpaas-1.6.0 – https://hub.docker.com/layers/linagora/james-project/openpaas-1.6.0/images/sha256-33bb00e10631023355f56680e4d57f924f00104275054113e4071e7e433cd83c

esn-sabre:1.6.1 – https://hub.docker.com/layers/linagora/esn-sabre/1.6.1/images/sha256-16ee5e653831a6dfd84cb85b195b4e324f4d59ebe95c30b9002b556119ca30cd

esn:1.6.1 – https://hub.docker.com/layers/linagora/esn/1.6.1/images/sha256-8175982c7fb1f1f23b5ec108b2b86a60342a99bdb1a6c66963c04654b0bca462

 

1.6.0 Changelog

Platform components update

The OpenPaaS components now relies on RaabitMQ version 3.8.

The Summer libraries update ran this year again, and OpenPaaS Node server has updated dependencies, like for example Socket.io.

Addressbook

Domain members addressbook

The members of an OpenPaaS domain are now exposed as a CardDAV addressbook. This allows the users to have the list of members synchronized on their mobile devices and desktop clients.

Platform

People resolver API

There is now a clean and efficient Rest API to search for everything related to People objects: users, contacts, resources and groups. This API is used in the OpenPaaS web frontend.

Domain aliases

The platform administrator can manage the email aliases of its domain.

Email

ElasticSearch optimizations

The email search has been improved by a better indexing of email and attachments inside the ElasticSearch server.

Security check

We ran the software against the OWASP Zap Zed Attack Proxy software. You can find here the attack report. Below are the development team comments regarding the High and Medium vulnerabilities.

High (Medium) – SQL Injection

This is a false positive. Our calendaring and addressbook engine does not use an SQL backend. However, this test highlighted a lack of type validation in user input, having the side effect of the server answering a 500 error instead of a 400 error in case of malicious forged queries. We opened an issue on our internal issue tracker to enforce type check on incoming parameters.

High (Medium) – Path Traversal

This is a false positive. Our Calendar and ADdressbook engine respects the WebDAV based protocol, which is a filesystem representation. User navigation inside is filesystem is enforced by ACLs.

Medium (High) – Session ID in URL Rewrite

This is a false positive. Our frontend uses Socket.io to ensure websocket communication with the server. Socket.io has its implementation of session for progressive enhancement of the connection, from short polling to websocket. There is not, to our knowledge, a vulnerability opened on Socket.io website regarding a vulnerability linked to its token system. Moreover, we upgraded our Socket.io version durint the summer libraries updates sprint.

Medium (Medium) – X-Frame-Options Header Not Set

This is a positive alert. We opened an issue in our internal issue tracker to add this header in our deployment manifests.

Medium (Medium) – CSP Scanner: Wildcard Directive

This is a positive alert. We opened an issue in our internal issue tracker to add the correct Content-Security-Policy header in our deployment manifests.

Medium (Medium) – Format String Error

This is a false positive. However, this test highlighted a lack of type validation in user input, having the side effect of the server answering a 500 error instead of a 400 error in case of malicious forged queries. We opened an issue on our internal issue tracker to enforce type check on incoming parameters.

Medium (Low) – Directory Browsing

This is a false positive. All the data below the “/generated” path is generated by code and does not reflect of any filesystem on the underlying server. This is how the system sends concatenated JavaScript files to the frontend.

Install and test

To install and test OpenPaaS, you need git as well as docker on a Linux system. The:

git clone https://github.com/linagora/openpaas-esn.git
cd openpaas-esn
git checkout 1.6.0
PROVISION=true docker-compose up

Download

The three Docker artefacts composing the release are:

james-project:openpaas-1.6.0 – https://hub.docker.com/layers/linagora/james-project/openpaas-1.6.0/images/sha256-33bb00e10631023355f56680e4d57f924f00104275054113e4071e7e433cd83c

esn-sabre:1.6.0 – https://hub.docker.com/layers/linagora/esn-sabre/1.6.0/images/sha256-ed8b5f3e70638d1c7bb45672440ab6e42e947afaae06dad07296bcb78711e88e

esn:1.6.0 – https://hub.docker.com/layers/linagora/esn/1.6.0/images/sha256-ee83cb0d653154060c12a12052cd7d9558a6f3c9f73020b53faefe6495426e44