Merge branch 'main' into release

Author: jaapmarcus

.drone.yml

@@ -115,7 +115,13 @@ steps:
       - ./test/check_php.sh ./web/
 
 trigger:
-   event: [ pull_request, push ] 
+      event: [ pull_request, push ]
+      ref:
+      - refs/heads/staging/*
+      - refs/heads/beta
+      - refs/heads/release
+      - refs/heads/main
+      - refs/pull/*/head
 
 ---
 kind: pipeline
@@ -167,4 +173,4 @@ trigger:
 
 ---
 kind: signature
-hmac: 980aea20314dab4328b0016eb35fa3ef18fdd46e5d891c7ab3809f704891e72b
+hmac: a191a477aa337f2efff534022164906ff20ef2b6340ec808d128c09a06d7eaa3

CHANGELOG.md

@@ -1,6 +1,42 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.3] - Service release 
+
+### Features
+
+- Add additional support for bcrypt for mail passwords (#2752 @divinity76)
+
+### Enhancements 
+
+- Simplify md5crypt on reset form email (#2751 @divinity76)
+- Use secure RNG to generate passwords (#2726)
+- Add twig support filemanger (#2714, @anvme)
+
+### Bugfixes
+
+- Fixed an issue with restart Apache2 and Nginx after v-update-letsencrypt (#2748, #2563, #2744, #2677)
+- Prevent transversing path in Quick installer apps (#2742)
+- Avoid out of memory serving large logfiles (#2741, #2736,  @divinity76
+- Improve passwords loading in password_valid (#2739)
+- Use secure RNG to generate passwords (#2726)
+- Utilise entire alphabet for random string (#2735 @Shadowfied)
+- Don't use hosts_try_fastopen in Exim for Gmail / Google hostnames
+- Add check if Sieve is already installed (#2719  #manuelserol)
+- Allow PHP templates to be selected in Quick installer apps (#2713, #2711, #2690)
+- Small changes to translation strings (#2700 @V4M0N0S)
+- Rate limit in email address blank in UI (saved correct in limits) (#2710, #2707)
+- Fixed a bug in Settings sites where always websites got rebuild on save (#2705, #2710)
+- Fixed a bug in Weblog where the session got incorrectly reset as admin user (#2710)
+- Prevent v-add-web-php to be used for non fpm installs (#2753)
+- Update translations (#2750)
+- Chmod o+x .ssh folder when creating file manager ssh key (#2755)
+
+### Dependencies
+
+- Update hestia-php to 8.1.8 
+    - Update disable_functions list php.ini for hestia-php (#2746, #2741)
+
 ## [1.6.2] - Service release
 
 - Fixed an issue with rate limits in Exim4 and make it more bullet proof (#2703)

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.6.2 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.6.3 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
@@ -24,24 +24,21 @@ Features and Services
 * Apache2 and NGINX with PHP-FPM
 * Multiple PHP versions (5.6 - 8.1, 8.0 as default)
 * DNS Server (Bind) with clustering capabilities
-* POP/IMAP/SMTP mail services with Anti-Virus, Anti-Spam, and Webmail (ClamAV, SpamAssassin, Sieve, Roundcube, Rainloop)
+* POP/IMAP/SMTP mail services with Anti-Virus, Anti-Spam, and Webmail (ClamAV, SpamAssassin, Sieve, Roundcube)
 * MariaDB and/or PostgreSQL databases
 * Let's Encrypt SSL support with wildcard certificates
 * Firewall with brute-force attack detection and IP lists (iptables, fail2ban, and ipset).
 
 Supported platforms and operating systems
 ========================================================
 
-AMD (x86_64 Intel/AMD)
-----------------------------
-* **Debian:** 11 or 10
-* **Ubuntu:** 22.04LTS, 20.04 LTS or 18.04 LTS
+* **NOTE:** Hestia Control Panel does not support 32 bit operating systems!
 
-ARM64 (arm64)
-----------------------------
 * **Debian:** 11 or 10
 * **Ubuntu:** 22.04LTS, 20.04 LTS or 18.04 LTS
 
+* **NOTE:** Hestia Control Panel in combination with OpenVZ 7 or lower might have issue Bind9 server not starting or issues with Firewall. If you use a Virtual Private Server we strongly advice you to use something based on KVM or LXC!
+
 Installing Hestia Control Panel
 ============================
 

bin/v-add-letsencrypt-domain

@@ -520,20 +520,20 @@ fi
 
 # Adding SSL
 if [ -z "$mail" ]; then
-    ssl_home=$(search_objects 'web' 'LETSENCRYPT' 'yes' 'SSL_HOME')
+    ssl_home="$(get_object_value 'web' 'DOMAIN' "$domain" '$SSL_HOME')"
     ssl_enabled="$(get_object_value 'web' 'DOMAIN' "$domain" '$SSL')"
     if [ "$ssl_enabled" = "yes" ]; then 
-        $BIN/v-update-web-domain-ssl "$user" "$domain" "$ssl_dir" "$ssl_home" "updatessl" 
+        $BIN/v-update-web-domain-ssl "$user" "$domain" "$ssl_dir" "updatessl" 
     else
         $BIN/v-add-web-domain-ssl "$user" "$domain" "$ssl_dir" "$ssl_home" "updatessl" 
     fi
  else
  # TODO replace with v-update-mail-domain-ssl if ssl is enabled
     ssl_enabled="$(get_object_value 'mail' 'DOMAIN' "$root_domain" '$SSL')"
     if [ "$ssl_enabled" = "yes" ]; then 
-        $BIN/v-update-mail-domain-ssl "$user" "$root_domain" "$ssl_dir" "$ssl_home" "updatessl" 
+        $BIN/v-update-mail-domain-ssl "$user" "$root_domain" "$ssl_dir" "updatessl" 
     else
-        $BIN/v-add-mail-domain-ssl "$user" "$root_domain" "$ssl_dir" "$ssl_home" "updatessl" 
+        $BIN/v-add-mail-domain-ssl "$user" "$root_domain" "$ssl_dir" "updatessl" 
     fi
 fi
 

bin/v-add-mail-account

@@ -66,11 +66,16 @@ check_hestia_demo_mode
 #----------------------------------------------------------#
 
 # Generating hashed password
-if [ -n "$(doveadm pw -l | grep ARGON2ID)" ]; then
+
+if [ -n "$(doveadm pw -l | grep BLF-CRYPT)" ]; then
+    set +H # disable ! style history substitution
+    md5="$(doveadm pw -s BLF-CRYPT -p "$password")"
+elif [ -n "$(doveadm pw -l | grep ARGON2ID)" ]; then
+    # Fall back on Argon2id if bcrypt is not available
     set +H # disable ! style history substitution
-    md5="$(doveadm pw -s ARGON2ID -p $password)"
+    md5="$(doveadm pw -s ARGON2ID -p "$password")"
 else
-    # Fall back on MD5
+    # Fall back on MD5 if neither bcrypt nor argon2id is available
     salt=$(generate_password "$PW_MATRIX" "8")
     md5="{MD5}$($BIN/v-generate-password-hash md5 $salt <<<$password)"
 fi

bin/v-add-web-php

@@ -27,6 +27,10 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 check_args '1' "$#" 'VERSION'
 
+if [ -z "$WEB_BACKEND" ]; then
+    echo "Multiple php versions are not supported for modphp"
+fi
+
 # Set file locations
 php_fpm="/etc/init.d/php$version-fpm"
 

bin/v-change-mail-account-password

@@ -56,10 +56,15 @@ check_hestia_demo_mode
 #----------------------------------------------------------#
 
 # Generating hashed password
-if [ -n "$(doveadm pw -l | grep ARGON2ID)" ]; then
+if [ -n "$(doveadm pw -l | grep BLF-CRYPT)" ]; then
     set +H # disable ! style history substitution
-    md5="$(doveadm pw -s ARGON2ID -p $password)"
+    md5="$(doveadm pw -s BLF-CRYPT -p "$password")"
+elif [ -n "$(doveadm pw -l | grep ARGON2ID)" ]; then
+    # Fall back on Argon2id if bcrypt is not available
+    set +H # disable ! style history substitution
+    md5="$(doveadm pw -s ARGON2ID -p "$password")"
 else
+    # Fall back on MD5 if neither bcrypt nor argon2id is available
     salt=$(generate_password "$PW_MATRIX" "8")
     md5="{MD5}$($BIN/v-generate-password-hash md5 $salt <<<$password)"
 fi

bin/v-change-mail-account-rate-limit

@@ -24,6 +24,8 @@ source /etc/hestiacp/hestia.conf
 source $HESTIA/func/main.sh
 # shellcheck source=/usr/local/hestia/func/domain.sh
 source $HESTIA/func/domain.sh
+# shellcheck source=/usr/local/hestia/func/syshealth.sh
+source $HESTIA/func/syshealth.sh
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
@@ -82,6 +84,8 @@ if [[ "$rate" = "system" ]]; then
     rate=''
 fi
 
+syshealth_repair_mail_account_config
+
 # Update quota
 update_object_value "mail/$domain" 'ACCOUNT' "$account" '$RATE_LIMIT' "$rate"
 

bin/v-check-mail-account-hash

@@ -35,19 +35,28 @@ is_password_valid
 #                       Action                             #
 #----------------------------------------------------------#
 
-if [ "$type" = "ARGONID2" ]; then
-    match=$(doveadm pw -s ARGON2ID -p $password -t $hash | grep "verified");
+if [ "$type" = "BCRYPT" ]; then
+    match=$(doveadm pw -s BLF-CRYPT -p "$password" -t $hash | grep "verified");
+    if [ -n "$match" ]; then
+        exit 0;
+    else
+        echo $match;
+        exit 2;
+    fi
+elif [ "$type" = "ARGONID2" ]; then
+    match=$(doveadm pw -s ARGON2ID -p "$password" -t $hash | grep "verified");
     if [ -n "$match" ]; then
         exit 0;
     else
         echo $match;
         exit 2;
     fi
 else
-    echo "Not supported"
+    echo "unsupported hash type.";
     exit 2;
 fi
 
+
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#

bin/v-delete-web-php

@@ -28,6 +28,10 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 check_args '1' "$#" 'VERSION'
 
+if [ -z "$WEB_BACKEND" ]; then
+    echo "Multiple php versions are not supported for modphp"
+fi
+
 # Set file locations
 php_fpm="/etc/init.d/php$version-fpm"