Merge branch 'main' into release

Author: jaapmarcus

.drone.yml

@@ -160,7 +160,7 @@ steps:
         port: 22
         command_timeout: 2m
         script:
-            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/strech apt/buster apt/bullseye
+            - freight-add ./hestia/*.deb apt/bionic apt/focal apt/stretch apt/buster apt/bullseye
             - freight-cache
             - rm -fr ./hestia/
 
@@ -169,4 +169,4 @@ trigger:
 
 ---
 kind: signature
-hmac: 31806a1e5357c43d17d24ef797995fb9952a1d883ad282fd152d7d0378112213
+hmac: 07f845f902f859c97c78a346d340f7fb8d4b1242581a242e592b149c13428f50

CHANGELOG.md

@@ -1,6 +1,20 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.5.9] - Service release
+
+### Bugfixes
+
+- Fixed multiple XSS vulnerabilities in the web user interface. [CVE-2022-0752](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0752) / [CVE-2022-0753](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0753)
+- Fixed an issues with mariadb.sys user didn't work properly on MariaDB 10.6.x installs #2427
+- Change ipverse.net urls to new format hosted on Github #2429 and forum
+- Allow PTR to be used on domain.com 
+
+### Dependencies
+
+- Update PHPMailer to 6.6.0 (https://github.com/PHPMailer/PHPMailer/releases/tag/v6.6.0)
+- Update Filegator to 7.7.2 (https://github.com/filegator/filegator/releases/tag/v7.7.2)
+
 ## [1.5.8] - Service release
 
 ### Features

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.5.8 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.5.9 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-list-sys-services

@@ -230,19 +230,24 @@ if [ -n "$DB_SYSTEM" ] && [ "$DB_SYSTEM" != 'remote' ]; then
         service="$db"
         proc_name=''
         if [ "$service" = 'mysql' ]; then
-            if [ -d "/etc/sysconfig" ]; then
+            mysql_version=$(mysql -V)
+            mariadb_string="MariaDB"
+            if [[ ! $mysql_version =~ $mariadb_string ]]; then
+                # MySQL
                 service='mysqld'
                 proc_name='mysqld'
-            fi
-            if [ -e "/lib/systemd/system/mariadb.service" ]; then
-                service='mariadb'
-                proc_name='mysqld'
-            fi
-            if [ -f /usr/bin/mysql ]; then
-                mariadb_v=`mysql -V | awk 'NR==1{print $5}' | head -c 4`
-                if [ $mariadb_v = "10.5" ] || [ $mariadb_v = "10.6" ]; then
+            else
+                # MariaDB
+                if [ -e "/lib/systemd/system/mariadb.service" ]; then
                     service='mariadb'
-                    proc_name='mariadbd'
+                    proc_name='mysqld'
+                fi
+                if [ -f /usr/bin/mysql ]; then
+                    mariadb_v=`mysql -V | awk 'NR==1{print $5}' | head -c 4`
+                    if [ $mariadb_v = "10.5" ] || [ $mariadb_v = "10.6" ]; then
+                        service='mariadb'
+                        proc_name='mariadbd'
+                    fi
                 fi
             fi
         fi

func/domain.sh

@@ -584,7 +584,7 @@ is_dns_fqnd() {
     r=$2
     fqdn_type=$(echo $t | grep "NS\|CNAME\|MX\|PTR\|SRV")
     tree_length=3
-    if [[ $t = 'CNAME' || $t = 'MX' ]]; then
+    if [[ $t = 'CNAME' || $t = 'MX' || $t = 'PTR' ]]; then
         tree_length=2
     fi
 

func/upgrade.sh

@@ -556,7 +556,7 @@ upgrade_b2_tool(){
         if version_ge "$b2_version" "$b2_v"; then
             echo "[ * ] Backblaze CLI tool is up to date ($b2_v)..."
         else
-            echo "[ * ] Upgrading Backblaze CLI tool to version v$b2_v..."
+            echo "[ * ] Upgrading Backblaze CLI tool to version $b2_v..."
             rm $b2cli
             wget -O $b2cli $b2lnk > /dev/null 2>&1
             chmod +x $b2cli > /dev/null 2>&1
@@ -581,7 +581,7 @@ upgrade_phpmyadmin() {
             fi
         else
             # Display upgrade information
-            echo "[ * ] Upgrading phpMyAdmin to version v$pma_v..."
+            echo "[ * ] Upgrading phpMyAdmin to version $pma_v..."
             [ -d /usr/share/phpmyadmin ] || mkdir -p /usr/share/phpmyadmin
 
             # Download latest phpMyAdmin release
@@ -629,7 +629,7 @@ upgrade_filemanager() {
             fm_version="1.0.0"
         fi
         if [ "$fm_version" != "$fm_v" ]; then 
-            echo "[ ! ] Updating File Manager..."
+            echo "[ ! ] Upgrading File Manager to version $fm_v..."
             # Reinstall the File Manager
             $HESTIA/bin/v-delete-sys-filemanager quiet yes
             $HESTIA/bin/v-add-sys-filemanager quiet
@@ -657,7 +657,7 @@ upgrade_roundcube(){
         else
             rc_version=$(cat /var/lib/roundcube/index.php | grep -o -E '[0-9].[0-9].[0-9]+' | head -1);
             if [ "$rc_version" != "$rc_v" ]; then
-                echo "[ ! ] Upgrading Roundcube to version v$rc_v..."
+                echo "[ ! ] Upgrading Roundcube to version $rc_v..."
                 $HESTIA/bin/v-add-sys-roundcube
             else
                 echo "[ * ] Roundcube is up to date ($rc_v)..."
@@ -670,7 +670,7 @@ upgrade_rainloop(){
     if [ -n "$(echo "$WEBMAIL_SYSTEM" | grep -w 'rainloop')" ]; then
         rl_version=$(cat /var/lib/rainloop/data/VERSION);
         if [ "$rl_version" != "$rl_v" ]; then
-            echo "[ ! ] Upgrading Rainloop to version v$rl_v..."
+            echo "[ ! ] Upgrading Rainloop to version $rl_v..."
             $HESTIA/bin/v-add-sys-rainloop
         else
             echo "[ * ] Rainloop is up to date ($rl_v)..."
@@ -685,7 +685,7 @@ upgrade_phpmailer(){
     fi
     phpm_version=$(cat $HESTIA/web/inc/vendor/phpmailer/phpmailer/VERSION);
     if [ "$phpm_version" != "$pm_v" ]; then
-    echo "[ ! ] Upgrading PHPmailer..."
+    echo "[ ! ] Upgrading PHPmailer to version $pm_v..."
         $HESTIA/bin/v-add-sys-phpmailer
     else
         echo "[ * ] PHPmailer is up to date ($pm_v)..."

install/deb/phpmyadmin/hestia-sso.php

@@ -147,7 +147,11 @@ function session_invalid()
                 $user = $_GET['user'];
                 $host = 'localhost';
                 $token = $_GET['hestia_token'];
-                $time = $_GET['exp'];
+                if(is_numeric($_GET['exp'])){
+                    $time = $_GET['exp'];
+                }else{
+                    $time = 0; 
+                }
 
                 if ($time + 60 > time()) {
                     //note: Possible issues with cloudflare due to ip obfuscation

install/hst-install-debian.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.8'
+HESTIA_INSTALL_VER='1.5.9'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1508,6 +1508,7 @@ if [ "$mysql" = 'yes' ]; then
         mycnf="my-large.cnf"
     fi
 
+    # Run mysql_install_db 
     mysql_install_db >> $LOG
     # Remove symbolic link
     rm -f /etc/mysql/my.cnf
@@ -1520,16 +1521,20 @@ if [ "$mysql" = 'yes' ]; then
 
     # Securing MariaDB installation
     mpass=$(gen_pass)
-    mysqladmin -u root password $mpass >> $LOG
     echo -e "[client]\npassword='$mpass'\n" > /root/.my.cnf
     chmod 600 /root/.my.cnf
-
-    # Clear MariaDB Test Users and Databases
-    mysql -e "DELETE FROM mysql.user WHERE User=''"
-    mysql -e "DROP DATABASE test" > /dev/null 2>&1
+    
+    # Ater root password
+    mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$mpass'; FLUSH PRIVILEGES;"
+    # Remove root login from remote servers 
+    mysql -e "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    # Disable anonymous users
+    mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
+    # Drop test database
+    mysql -e "DROP DATABASE IF EXISTS test"
     mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
-    mysql -e "DELETE FROM mysql.user WHERE user='';"
-    mysql -e "DELETE FROM mysql.user WHERE password='' AND authentication_string='';"
+    
+    mysql -e "FLUSH PRIVILEGES;"
 fi
 
 

install/hst-install-ubuntu.sh

@@ -31,7 +31,7 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.5.8'
+HESTIA_INSTALL_VER='1.5.9'
 # Dependencies
 pma_v='5.1.3'
 rc_v="1.5.2"
@@ -1540,16 +1540,20 @@ if [ "$mysql" = 'yes' ]; then
 
     # Securing MariaDB installation
     mpass=$(gen_pass)
-    mysqladmin -u root password $mpass >> $LOG
     echo -e "[client]\npassword='$mpass'\n" > /root/.my.cnf
     chmod 600 /root/.my.cnf
-
-    # Clear MariaDB Test Users and Databases
-    mysql -e "DELETE FROM mysql.user WHERE User=''"
-    mysql -e "DROP DATABASE test" > /dev/null 2>&1
+    
+    # Ater root password
+    mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$mpass'; FLUSH PRIVILEGES;"
+    # Remove root login from remote servers 
+    mysql -e "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    # Disable anonymous users
+    mysql -e "DELETE FROM mysql.global_priv WHERE User='';"
+    # Drop test database
+    mysql -e "DROP DATABASE IF EXISTS test"
     mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
-    mysql -e "DELETE FROM mysql.user WHERE user='';"
-    mysql -e "DELETE FROM mysql.user WHERE password='' AND authentication_string='';"
+    
+    mysql -e "FLUSH PRIVILEGES;"
 fi
 
 

install/upgrade/manual/migrate_ngnix_apache_nginx-php-fpm.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Function Description
+# Manual upgrade script from Nginx + Apache2 + PHP-FPM to Nginx + PHP-FPM
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# shellcheck source=/usr/local/hestia/conf/hestia.conf
+source $HESTIA/conf/hestia.conf
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+if [ "$WEB_BACKEND"  != "php-fpm" ]; then 
+    check_result $E_NOTEXISTS "PHP-FPM is not enabled" >/dev/null
+    exit 1; 
+fi
+
+if [ "$WEB_SYSTEM"  != "apache2" ]; then 
+    check_result $E_NOTEXISTS "Apache2 is not enabled" >/dev/null
+    exit 1; 
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Remove apache2 from config
+sed -i "/^WEB_PORT/d" $HESTIA/conf/hestia.conf
+sed -i "/^WEB_SSL/d" $HESTIA/conf/hestia.conf
+sed -i "/^WEB_SSL_PORT/d" $HESTIA/conf/hestia.conf
+sed -i "/^WEB_RGROUPS/d" $HESTIA/conf/hestia.conf
+sed -i "/^WEB_SYSTEM/d" $HESTIA/conf/hestia.conf
+
+# Remove nginx (proxy) from config
+sed -i "/^PROXY_PORT/d" $HESTIA/conf/hestia.conf
+sed -i "/^PROXY_SSL_PORT/d" $HESTIA/conf/hestia.conf
+sed -i "/^PROXY_SYSTEM/d" $HESTIA/conf/hestia.conf
+
+# Add Nginx settings to config
+echo "WEB_PORT='80'" >> $HESTIA/conf/hestia.conf
+echo "WEB_SSL='openssl'" >> $HESTIA/conf/hestia.conf
+echo "WEB_SSL_PORT='443'" >> $HESTIA/conf/hestia.conf
+echo "WEB_SYSTEM='nginx'" >> $HESTIA/conf/hestia.conf
+
+# Rebuild web config
+
+for user in $($HESTIA/bin/v-list-users plain | cut -f1); do
+    echo $user
+    for domain in $($HESTIA/bin/v-list-web-domains $user plain | cut -f1 ); do
+        $HESTIA/bin/v-change-web-domain-tpl $user $domain 'default'
+        $HESTIA/bin/v-rebuild-web-domain $user $domain no;
+    done
+done
+
+systemctl restart nginx