News

Home/News

eFa 3.0.1.9 Security Update Released

The 3.0.1.9 security update is now available.

We would also like to thank everyone for their support and contributions to this project.

A big thanks to the MailWatch team for making security fixes possible!

The following issues have been fixed (hopefully) in 3.0.1.9:

– Added Apache mod_security by default
– Added Apache X-XSS-Protection header
– Updated MailWatch and Sqlgrey Web Interface (Security Fixes)
– Changed and updated database engine to MariaDB (10.1)

#################### Important Security Notice ########################

/////// Everyone is STRONGLY encouraged to update to 3.0.1.9 NOW \\\\\\\\\

A recent set of vulnerabilities have been discovered in the MailWatch and
SGWI interfaces that can allow an attacker to escalate privileges in eFa.

Because of these vulnerabilities, if you are using the same password for
the console as you are for MailWatch (many folks are), please take a moment
to make your MailWatch admin password different from the console.
Doing so will limit the success of a shared credential attack via MailWatch
on eFa to gain root access.

If you cannnot update to 3.0.1.9 or have problems, the following steps are
strongly recommended to keep your appliance safe until you can update
successfully:

1) Rotate your admin passwords in the console and MailWatch UI and make
each one different than the other to prevent a shared credential
attack.

2) Install mod_security and mod_evasive to provide some security in front
of the vulnerable code.

3) Inform your MailWatch users (especially admins) to avoid opening multiple
tabs and performing general web browsing while working in MailWatch

##################### Important database changes ######################

MailWatch 1.2.1-dev has utf8mb4 character set support.
CentOS 6.8 lacks this support in the stock mysql rpms.
Therefore, upgrades to 3.0.1.9 will migrate the database from mysql
to MariaDB 10.1. This may be a big jump for some users and may want
to perform additional testing prior to upgrading.

###################### How To Update ##################################

It is recommended that you suspend your mail flow and snapshot prior
to updating or to back up the entire appliance.

1) Stop mail flow temporarily (at firewalls/mailservers)
2) Snapshot your VM and its memory using your hypervisor tools
3) If the update fails for any reason, collect relevant logs or screen
outputs/screenshots and revert to your snapshot
4) Report failure at https://forum.efa-project.org

Launch EFA-Configure from console or secure shell

(sudo /usr/local/sbin/EFA-Configure)

Choose option 14) Update Now

The first time you run this update, the kernel may update. If this
happens, the script will halt to give you an opportunity to restart.
After restarting and booting to the new kernel, rerun EFA-Update to
continue the update process to 3.0.1.9.

EFA-Update will not proceed until you are running on the latest
kernel. This is to ensure that open-vm-tools updates appropriately
if present.

eFa3 Code Freeze

Greetings eFa Users!

eFa started as a replacement for ESVA when that project died.

As some of you may know, that was a long time ago. In fact, eFa3 is now really starting to show its age. Despite it being updated, we are still on CentOS 6.
It is time to move forward with new development. :dance:

Therefore, we are announcing a pending code freeze for eFa3 so that we can begin work on eFa4.

No new features or enhancements will be added to eFa. However, bug fixes may be released as needed depending on the severity of the issue.
We look forward to many new developments and will keep you posted!

eFa 3.0.1.8 Released

The 3.0.1.8 update is now available.

We would also like to thank everyone for their support and contributions to this project. :clap:

The following issues have been fixed (hopefully) in 3.0.1.8:

Issue #347 Bug – Missing defines in latest MailWatch

It is recommended that you suspend your mail flow and snapshot prior
to updating or to back up the entire appliance.

1) Stop mail flow temporarily (at firewalls/mailservers)
2) Snapshot your VM and its memory using your hypervisor tools
3) If the update fails for any reason, collect relevant logs or screen
outputs/screenshots and revert to your snapshot
4) Report failure at https://forum.efa-project.org

Launch EFA-Configure from console or secure shell

(sudo /usr/local/sbin/EFA-Configure)

Choose option 14) Update Now

The first time you run this update, the kernel may update. If this
happens, the script will halt to give you an opportunity to restart.
After restarting and booting to the new kernel, rerun EFA-Update to
continue the update process to 3.0.1.8.

EFA-Update will not proceed until you are running on the latest kernel. This is to ensure that open-vm-tools updates appropriately if present.

After updating, please run “Update GeoIP Database” update as soon as possible from MailWatch under Tools/Links.

eFa 3.0.1.7 Released

The 3.0.1.7 update is now available.

We would also like to thank everyone for their support and contributions to this project. :clap:

The following issues have been fixed (hopefully) in 3.0.1.7:

Issue #346 Bug – EFA 3.0.1.6 mailwatch is empty after Update GeoIP Database

Updated MailWatch to 1.2.0 – RC4 latest development

It is recommended that you suspend your mail flow and snapshot prior
to updating or to back up the entire appliance.

1) Stop mail flow temporarily (at firewalls/mailservers)
2) Snapshot your VM and its memory using your hypervisor tools
3) If the update fails for any reason, collect relevant logs or screen
outputs/screenshots and revert to your snapshot
4) Report failure at https://forum.efa-project.org

Launch EFA-Configure from console or secure shell

(sudo /usr/local/sbin/EFA-Configure)

Choose option 14) Update Now

The first time you run this update, the kernel may update. If this
happens, the script will halt to give you an opportunity to restart.
After restarting and booting to the new kernel, rerun EFA-Update to
continue the update process to 3.0.1.7.

EFA-Update will not proceed until you are running on the latest
kernel. This is to ensure that open-vm-tools updates appropriately
if present.

After updating, please run “Update GeoIP Database” update as soon as
possible from MailWatch under Tools/Links.

eFa 3.0.1.0 available

The 3.0.1.0 update is now available, as this is an security update please update as soon as possible.

The following issues have been fixed in 3.0.1.0:

  • Issue #201 Bug – Deprecated release-msg.cgi
  • Issue #236 Enhancement – Disable spam not delivered messages by default
  • Issue #253 Bug – EFA-Backup ssl folder
  • Issue #260 Bug – Header in Apache Settings wrong
  • Issue #261 Bug – learn-msg.cgi wrong path for sa-learn
  • Issue #262 Bug – MS_LOGO and MW_LOGO Definitions Needed
  • Issue #268 Enhancement – EFA-Init link test without DHCP dependency
  • Issue #269 Bug – SQL error during rename of host name in EFA-Configure
  • PR #270 Bug – Typo in RELEASENOTES
  • Issue #272 Security – MailWatch Vulnerability

Please review the RELEASENOTES prior to updating for important information:

It is recommended that you suspend your mail flow and snapshot prior
to updating or to back up the entire appliance.

1) Stop mail flow temporarily (at firewalls/mailservers)
2) Snapshot your VM and its memory using your hypervisor tools
3) If the update fails for any reason, immediately roll back to snapshot
4) Report failure at https://forum.efa-project.org

The first time you run this update, the kernel may update. If this
happens, the script will halt to give you an opportunity to restart.
After restarting and booting to the new kernel, rerun EFA-Update to
continue the update process to 3.0.1.0.

EFA-Update will not proceed until you are running on the latest
kernel. This is to ensure that open-vm-tools updates appropriately
if present.

You can download the latest VM image version from the downloads page.