froxlor security release 2.3.6

What's Changed

• Bump phpseclib/phpseclib from 3.0.49 to 3.0.50 by @dependabot[bot] in #1394
• Bump league/commonmark from 2.8.1 to 2.8.2 by @dependabot[bot] in #1395
• Bump picomatch by @dependabot[bot] in #1396
• Bump vite from 6.4.1 to 6.4.2 by @dependabot[bot] in #1397
• Bump lodash from 4.17.23 to 4.18.1 by @dependabot[bot] in #1398
• [apache2] add setting to decide what value the ServerAdmin directive should have, fixes #1391
• [Security] validate def_language parameter against existing language files and avoid path-traversal
• [Security] fix escaping of single-quotes in generation of userdata.inc.php and validate privileged-user and mysql_ca in MysqlServer.add/update
• [Security] add validation for DNS NAPTR record content
• [Security] add symlink-validation to data-export
• [Security] fix domain-ownership validation in EmailSender.add
• [Security] fix possible unvalidated adminid in Domains.add() if admin/reseller does not have 'customer_see_all' privileges

Full Changelog: 2.3.5...2.3.6

froxlor security release 2.3.5

What's Changed

• [SSL] update default ssl-cipher-list (as recommended by mozilla's SSL Configuration Generator)
• [Security] validate dns LOC, RP, SSHFP and TLSA record-content according to specifications
• [API] lowercase localpart of email address, fixes #1385
• [UI] Add Chinese (Simplified) language support by @bobo334 in #1384
• [Security] Bump rollup from 4.49.0 to 4.59.0 by @dependabot[bot] in #1388
• [Configuration] Fix: "Allowed sender @Domain” greift nicht, wenn die Absender-Mailbox existiert by @MBungalski in #1387
• [Security] Bump immutable from 5.1.3 to 5.1.5 by @dependabot[bot] in #1389
• [Security] Bump league/commonmark from 2.8.0 to 2.8.1 by @dependabot[bot] in #1390

New Contributors

• @bobo334 made their first contribution in #1384
• @MBungalski made their first contribution in #1387

Full Changelog: 2.3.4...2.3.5

froxlor security release 2.3.4

• [security] fix validation of email and url fields in settings, properly escape shell arguments in config-services and acme.sh installation

  • CVE / report will be published on 3rd of March for admins to have time to update

• [cron] avoid endless rebuilding of vhost if let's encrypt is globally disabled and activated for froxlor-vhost; fixes #1382

• [config] use correct and safe permissions for /etc/dovecot/conf.d/99-froxlor.conf in trixie, fixes #1380

• [cron] fix undefined index 'email_only' in Dns for froxlor-hostname

• [ui] fix viewing access/error logs for subdomains as customer

• [cron] avoid 'request_slowlog_timeout' can't be greater than 'request_terminate_timeout' issues in php-fpm; fixes #1378

froxlor maintenance release 2.3.3

What's Changed

• fixes in FCGID permissions
• correctly trigger rebuild of vhost generation in Domains.update
• fix guessed myhostname value for postfix in debian trixie
• Update czech translation by @rex2630 in #1371
• Lng hu updates 2.3.1 by @kissgyula in #1374

Full Changelog: 2.3.2...2.3.3

Froxlor bugfix release 2.3.2

What's Changed

• Permissions on the parent directory of the configdir are too strict by @RipClaw2971 in #1367
• Installer throws a 500 error in version 2.3.1 but works with version 2.3.0 by @RipClaw2971 in #1368

Full Changelog: 2.3.1...2.3.2

Froxlor maintenance release 2.3.1

What's Changed

• Fix empty PATH_INFO fastcgi_param in nginx by @bashgeek in #1357
• Fix implicitly marked variables as null by @bashgeek in #1359
• Enhance session path validation in PhpSessionclean by @ZARk-be in #1360
• fix froxlor (an probably many others) on http3: populate [HTTP_HOST] by @realrellek in #1361
• Fix pop3_logout_format for Dovecot 2.4 by @bashgeek in #1363
• Remove curl_close() calls, has been not doing anything since 8.0 and is now officiall deprecated by @bashgeek in #1364
• Remove http3_hq from vhost by @realrellek in #1366
• Add 'always' to add_header for HSTS and h3 by @realrellek in #1365

New Contributors

• @ZARk-be made their first contribution in #1360

Full Changelog: 2.3.0...2.3.1

froxlor 2.3 – SSH-key management, API upgrades, HTTP/3 & Debian 13 support

What's Changed

• Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #1341
• Bump vite from 6.3.5 to 6.3.6 by @dependabot[bot] in #1347
• Add nginx HTTP/3 support by @lukasbableck in #1285
• Changing sendmail default to postmaster@DOMAIN (#1349) by @realrellek in #1350
• Bump vite from 6.3.6 to 6.4.1 by @dependabot[bot] in #1353

New Contributors

• @realrellek made their first contribution in #1350

Full Changelog: 2.2.8...2.3.0

froxlor 2.3 RC – SSH-key management, API upgrades, HTTP/3 & Debian 13 support

What's Changed

• Bump form-data from 4.0.2 to 4.0.4 by @dependabot[bot] in #1341
• Bump vite from 6.3.5 to 6.3.6 by @dependabot[bot] in #1347
• Add nginx HTTP/3 support by @lukasbableck in #1285
• Changing sendmail default to postmaster@DOMAIN (#1349) by @realrellek in #1350
• Bump vite from 6.3.6 to 6.4.1 by @dependabot[bot] in #1353

New Contributors

• @realrellek made their first contribution in #1350

Full Changelog: 2.2.8...2.3.0-rc1

Official Announcement

See Forum

Froxlor maintenance release 2.2.8

What's Changed

• Bump league/commonmark from 2.6.2 to 2.7.0 by @dependabot in #1329
• Update for Hungarian language by @kissgyula in #1330
• Relax dkim_entry visibilty for admins in domain editor like it is for customers by @dtugend in #1336

New Contributors

• @dtugend made their first contribution in #1336

Full Changelog: 2.2.7...2.2.8

Froxlor bugfix release 2.2.7

What's Changed

• Explicitely mark nullable type parameters as such by @bashgeek in #1313
• Bump vite from 6.2.0 to 6.2.4 by @dependabot in #1320
• Bump axios from 1.8.1 to 1.8.2 by @dependabot in #1321
• Bump vite from 6.2.4 to 6.2.5 by @dependabot in #1322
• Bump vite from 6.2.5 to 6.2.6 by @dependabot in #1323
• Bump vite from 6.2.6 to 6.3.4 by @dependabot in #1327

Full Changelog: 2.2.6...2.2.7