froxlor security release 2.3.4

• [security] fix validation of email and url fields in settings, properly escape shell arguments in config-services and acme.sh installation

  • CVE / report will be published on 3rd of March for admins to have time to update

• [cron] avoid endless rebuilding of vhost if let's encrypt is globally disabled and activated for froxlor-vhost; fixes #1382

• [config] use correct and safe permissions for /etc/dovecot/conf.d/99-froxlor.conf in trixie, fixes #1380

• [cron] fix undefined index 'email_only' in Dns for froxlor-hostname

• [ui] fix viewing access/error logs for subdomains as customer

• [cron] avoid 'request_slowlog_timeout' can't be greater than 'request_terminate_timeout' issues in php-fpm; fixes #1378

froxlor maintenance release 2.3.3

What's Changed

• fixes in FCGID permissions
• correctly trigger rebuild of vhost generation in Domains.update
• fix guessed myhostname value for postfix in debian trixie
• Update czech translation by @rex2630 in #1371
• Lng hu updates 2.3.1 by @kissgyula in #1374

Full Changelog: 2.3.2...2.3.3

Froxlor bugfix release 2.3.2

What's Changed

• Permissions on the parent directory of the configdir are too strict by @RipClaw2971 in #1367
• Installer throws a 500 error in version 2.3.1 but works with version 2.3.0 by @RipClaw2971 in #1368

Full Changelog: 2.3.1...2.3.2

Froxlor maintenance release 2.3.1

What's Changed

• Fix empty PATH_INFO fastcgi_param in nginx by @bashgeek in #1357
• Fix implicitly marked variables as null by @bashgeek in #1359
• Enhance session path validation in PhpSessionclean by @ZARk-be in #1360
• fix froxlor (an probably many others) on http3: populate [HTTP_HOST] by @realrellek in #1361
• Fix pop3_logout_format for Dovecot 2.4 by @bashgeek in #1363
• Remove curl_close() calls, has been not doing anything since 8.0 and is now officiall deprecated by @bashgeek in #1364
• Remove http3_hq from vhost by @realrellek in #1366
• Add 'always' to add_header for HSTS and h3 by @realrellek in #1365

New Contributors

• @ZARk-be made their first contribution in #1360

Full Changelog: 2.3.0...2.3.1

froxlor 2.3 – SSH-key management, API upgrades, HTTP/3 & Debian 13 support

What's Changed

• Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #1341
• Bump vite from 6.3.5 to 6.3.6 by @dependabot[bot] in #1347
• Add nginx HTTP/3 support by @lukasbableck in #1285
• Changing sendmail default to postmaster@DOMAIN (#1349) by @realrellek in #1350
• Bump vite from 6.3.6 to 6.4.1 by @dependabot[bot] in #1353

New Contributors

• @realrellek made their first contribution in #1350

Full Changelog: 2.2.8...2.3.0

froxlor 2.3 RC – SSH-key management, API upgrades, HTTP/3 & Debian 13 support

What's Changed

• Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #1341
• Bump vite from 6.3.5 to 6.3.6 by @dependabot[bot] in #1347
• Add nginx HTTP/3 support by @lukasbableck in #1285
• Changing sendmail default to postmaster@DOMAIN (#1349) by @realrellek in #1350
• Bump vite from 6.3.6 to 6.4.1 by @dependabot[bot] in #1353

New Contributors

• @realrellek made their first contribution in #1350

Full Changelog: 2.2.8...2.3.0-rc1

Official Announcement

See Forum

Froxlor maintenance release 2.2.8

What's Changed

• Bump league/commonmark from 2.6.2 to 2.7.0 by @dependabot in #1329
• Update for Hungarian language by @kissgyula in #1330
• Relax dkim_entry visibilty for admins in domain editor like it is for customers by @dtugend in #1336

New Contributors

• @dtugend made their first contribution in #1336

Full Changelog: 2.2.7...2.2.8

Froxlor bugfix release 2.2.7

What's Changed

• Explicitely mark nullable type parameters as such by @bashgeek in #1313
• Bump vite from 6.2.0 to 6.2.4 by @dependabot in #1320
• Bump axios from 1.8.1 to 1.8.2 by @dependabot in #1321
• Bump vite from 6.2.4 to 6.2.5 by @dependabot in #1322
• Bump vite from 6.2.5 to 6.2.6 by @dependabot in #1323
• Bump vite from 6.2.6 to 6.3.4 by @dependabot in #1327

Full Changelog: 2.2.6...2.2.7

Froxlor bugfix release 2.2.6

New:

• [settings] add new settings to set default values for customer antispam options for new email addresses (settings advanced-mode)
• [cron] add new task to (re)configure mail/ftp services with let's encrypt; refs #1297
• [system] allow admins without change-serversettings to adjust dkim flag of domains
• [ui] hide webserver-ssl-options for new domains if no default ssl-ip-addresses are selected in the settings
• [languages] added Hungarian translation (#1310)

Security:

• force admin email addresses to be unique and not be used for customers, fixes GHSA-7j6w-p859-464f
• do not output potentially unsafe content, fixes GHSA-26xq-m8xw-6373

Fixes:

• show necessary dns entries for mail/antispan also in admin-view of domain
• fix empty firstname/name but set company when editing a customer via API
• allow cidr (forward slash) in spf settings-regex; fixes #1295
• correctly create ssl-redirect if let's encrypt is already activated; fixes #1294
• set sender-address of emails which were sent using an admin/a reseller to the global settings email so sending it using provided smtp - settings will not fail antispam checks; fixes #1289
• fix permissions of global mysql-user for customers; fixes #1286
• can-edit-domain is not required to create subdomains of that domain if subdomains are allowed
• set cookie SameSite option to 'Lax' for loginlinks to work as intended; fixes #1299
• corrected regex for dns CAA entries; fixes #1300
• add safety when unsetting isemaildomain flag in domain, fixes #1305
• fix deletion of webserver-logfiles when customer gets deleted, thx to irisdina
• fix plaintext-mail content, thx to AlexL
• fix 'show necessary dns entries for mail/antispan also in admin-view of domain' if bind is enabled but domain is not using nameserver

Full Changelog: 2.2.5...2.2.6

2.2.5

• fixed editing email-address catchall-flag not working - #1288
• fixed wrong settings-index-name for apache-2.4 flag - #1290

Full Changelog: 2.2.4...2.2.5