🚨 CRITICAL UPDATE: OpenEFA v1.5.7.7 Released - Security & Operational Fixes
Posted: Tue Oct 21, 2025 3:24 am
Release Date: October 20, 2025Severity: HIGH - Contains critical security and operational
fixesRecommended Action: Update immediately
---
URGENT: Why You Need to Update NOW
Version 1.5.7.7 addresses 7 critical issues that affect both security and email delivery
functionality. If you're running v1.5.7.6 or earlier, you should update as soon as possible.
Critical Issues Fixed:
Security Vulnerabilities:
1. Missing CSRF Protection - Web interface endpoints were vulnerable to Cross-Site Request
Forgery attacks
2. No XSS Protection Headers - Missing Content Security Policy (CSP) headers
3. Credential Exposure Risk - Database credentials could appear in error logs
Operational Issues:
4. Postfix Mail Loop - Misconfigured mydestination causing mail routing loops
5. Broken Domain Relay - Multi-domain configurations failing to relay properly
6. Configuration File Errors - Scripts looking in wrong paths for config files
7. Session Timeout Inconsistency - Different timeouts for admin/superadmin roles
---
What's Fixed in v1.5.7.7
1. CSRF Protection (CRITICAL SECURITY FIX)
Problem: All POST/PUT/DELETE endpoints lacked CSRF token validationImpact: Attackers could
perform unauthorized actions on behalf of logged-in usersFix: Flask-WTF CSRF protection now
enforces tokens on all state-changing operationsFile: openefa-files/web/app.py
2. Content Security Policy Headers (SECURITY ENHANCEMENT)
Problem: No XSS protection headersImpact: Vulnerable to Cross-Site Scripting attacksFix:
Implemented comprehensive CSP policy in report-only mode using flask-talismanFeatures:
- Restricts script sources to trusted CDNs only
- Blocks inline scripts (with temporary exceptions during migration)
- Prevents clickjacking with frame-ancestors
- Violation reporting to /csp-violation-report
File: openefa-files/web/app.py
3. Credential Sanitization (SECURITY FIX)
Problem: Database error messages could expose MySQL credentials in logsImpact: Sensitive
credentials visible in error outputFix: Enhanced error handling with credential scrubbing
before loggingFile: openefa-files/email_filter.py
4. Postfix Mail Loop Prevention (CRITICAL OPERATIONAL FIX)
Problem: mydestination parameter included hosted domains, causing routing loopsImpact: Mail
loops, bounces, delivery failuresFix: Set mydestination = localhost only, removed hosted
domainsFiles:
- templates/postfix/main.cf
- templates/postfix/main.cf.template
Technical Details: Hosted domains are handled via virtual_mailbox_domains, not mydestination.
Including them in both causes Postfix to attempt local delivery instead of relaying to API
endpoints.
5. Domain Relay Configuration (OPERATIONAL FIX)
Problem: Multi-domain setups failing to relay correctlyImpact: Some domains not receiving
mailFix: Corrected virtual_mailbox_domains and transport_maps configurationFile:
templates/postfix/main.cf
6. Configuration File Location Handling (OPERATIONAL FIX)
Problem: Scripts hardcoded wrong paths for config filesImpact: Database connection failures,
startup errorsFix: Standardized config paths to /opt/spacyserver/config/Files:
- lib/database.sh
- lib/services.sh
- lib/postfix.sh
7. Session Timeout Standardization (SECURITY ENHANCEMENT)
Problem: Admins had 60-minute timeout, superadmins had 30-minute timeoutImpact: Security
inconsistencyFix: All roles now use 30-minute timeout for consistencyFile:
openefa-files/web/app.py
---
Update Instructions
Option 1: Automatic Update (Recommended)
# Run the update script
sudo /opt/spacyserver/tools/update.sh
The update script will:
-
Automatically backup your installation
- Download v1.5.7.7 from GitHub
- Preserve all your configuration
- Restart services
- Validate everything is working
Update time: ~2-3 minutes
Option 2: Manual Update
# Backup first!
sudo cp -r /opt/spacyserver /opt/spacyserver-backup-$(date +%Y%m%d)
# Download and run installer
cd /tmp
git clone https://github.com/openefaadmin/openefa-installer.git
cd openefa-installer
sudo ./install.sh
---
Important Notes
Known Issue & Hotfix (v1.5.7.7.1)
If you updated to v1.5.7.7 between October 20 20:14 UTC and October 20 20:17 UTC, you may have
received a version with a CSP configuration bug causing HTTP 500 errors on the web interface.
Symptom: Web interface returns "Internal Server Error"Error in logs: TypeError: can only join
an iterable
Fix: Re-run the update script or manually apply hotfix v1.5.7.7.1:
sudo /opt/spacyserver/tools/update.sh
This has been corrected in commit e3f70ba and all new installations will have the fix.
---
Post-Update Verification
Run these commands to verify your update:
# Check version
cat /opt/spacyserver/VERSION
# Should show: VERSION=1.5.7.7
# Verify all services running
systemctl status spacyweb spacy-db-processor spacy-release-api spacy-whitelist-api
spacy-block-api
# Test web interface (should return HTTP 302 redirect to login)
curl -I https://localhost:5500 -k
# Check for CSP headers in response
# Should see: Content-Security-Policy-Report-Only header
---
Full Changelog
Version: 1.5.7.7Released: October 20, 2025Commit: 91e3682
Modified Files (12):
- .gitignore
- VERSION
- lib/database.sh
- lib/postfix.sh
- lib/services.sh
- openefa-files/config/notification_config.json
- openefa-files/email_filter.py
- openefa-files/tools/OpenSpacyMenu
- openefa-files/web/app.py
- openefa-files/web/templates/base.html
- templates/postfix/main.cf
- templates/postfix/main.cf.template
New Documentation (6 files, 76KB):
- CHANGES_v1.5.7.7.md - Comprehensive changelog
- CSRF_PROTECTION_FIX_v1.5.7.7.md - CSRF implementation details
- CSP_IMPLEMENTATION_v1.5.7.7.md - CSP header documentation
- POSTFIX_LOOP_FIX_v1.5.7.7.md - Mail loop technical details
- DOMAIN_RELAY_FIX_v1.5.7.7.md - Domain relay configuration
- CONFIG_LOCATION_FIX_v1.5.7.7.md - Config path standardization
Total Changes: 2,865 insertions, 106 deletions
---
Need Help?
Update Issues?Check backup location: /opt/spacyserver-backup-[timestamp]/View update log:
/tmp/openefa-update-[timestamp].log
Still Having Problems?
1. Check service logs: journalctl -u spacyweb -n 50
2. Verify Redis: redis-cli ping
3. Post in this thread with error details
Rollback (if needed):
sudo systemctl stop spacyweb spacy-db-processor spacy-release-api spacy-whitelist-api
spacy-block-api
sudo mv /opt/spacyserver /opt/spacyserver-failed
sudo mv /opt/spacyserver-backup-[timestamp] /opt/spacyserver
sudo systemctl start spacyweb spacy-db-processor spacy-release-api spacy-whitelist-api
spacy-block-api
---
Statistics
Total Installations Affected: All versions prior to 1.5.7.7Security Issues Fixed: 3 (CSRF,
CSP, credential exposure)Operational Issues Fixed: 4 (mail loops, relay, config paths,
sessions)Lines of Code Changed: 2,971Testing Status: Fully tested on production systems
---
Thank You
Special thanks to the community for reporting these issues and to Claude Code for assisting
with the comprehensive fixes and documentation.
Questions? Reply belowFound a bug? Open an issue on GitHubSuccess story? Share your update
experience!
---
Repository: https://github.com/openefaadmin/openefa-installerLatest Commit: e3f70ba (includes
CSP hotfix)Documentation: See individual fix documentation files in the repository
fixesRecommended Action: Update immediately
---
URGENT: Why You Need to Update NOWVersion 1.5.7.7 addresses 7 critical issues that affect both security and email delivery
functionality. If you're running v1.5.7.6 or earlier, you should update as soon as possible.
Critical Issues Fixed:
Security Vulnerabilities:1. Missing CSRF Protection - Web interface endpoints were vulnerable to Cross-Site Request
Forgery attacks
2. No XSS Protection Headers - Missing Content Security Policy (CSP) headers
3. Credential Exposure Risk - Database credentials could appear in error logs
Operational Issues:4. Postfix Mail Loop - Misconfigured mydestination causing mail routing loops
5. Broken Domain Relay - Multi-domain configurations failing to relay properly
6. Configuration File Errors - Scripts looking in wrong paths for config files
7. Session Timeout Inconsistency - Different timeouts for admin/superadmin roles
---
What's Fixed in v1.5.7.71. CSRF Protection (CRITICAL SECURITY FIX)
Problem: All POST/PUT/DELETE endpoints lacked CSRF token validationImpact: Attackers could
perform unauthorized actions on behalf of logged-in usersFix: Flask-WTF CSRF protection now
enforces tokens on all state-changing operationsFile: openefa-files/web/app.py
2. Content Security Policy Headers (SECURITY ENHANCEMENT)
Problem: No XSS protection headersImpact: Vulnerable to Cross-Site Scripting attacksFix:
Implemented comprehensive CSP policy in report-only mode using flask-talismanFeatures:
- Restricts script sources to trusted CDNs only
- Blocks inline scripts (with temporary exceptions during migration)
- Prevents clickjacking with frame-ancestors
- Violation reporting to /csp-violation-report
File: openefa-files/web/app.py
3. Credential Sanitization (SECURITY FIX)
Problem: Database error messages could expose MySQL credentials in logsImpact: Sensitive
credentials visible in error outputFix: Enhanced error handling with credential scrubbing
before loggingFile: openefa-files/email_filter.py
4. Postfix Mail Loop Prevention (CRITICAL OPERATIONAL FIX)
Problem: mydestination parameter included hosted domains, causing routing loopsImpact: Mail
loops, bounces, delivery failuresFix: Set mydestination = localhost only, removed hosted
domainsFiles:
- templates/postfix/main.cf
- templates/postfix/main.cf.template
Technical Details: Hosted domains are handled via virtual_mailbox_domains, not mydestination.
Including them in both causes Postfix to attempt local delivery instead of relaying to API
endpoints.
5. Domain Relay Configuration (OPERATIONAL FIX)
Problem: Multi-domain setups failing to relay correctlyImpact: Some domains not receiving
mailFix: Corrected virtual_mailbox_domains and transport_maps configurationFile:
templates/postfix/main.cf
6. Configuration File Location Handling (OPERATIONAL FIX)
Problem: Scripts hardcoded wrong paths for config filesImpact: Database connection failures,
startup errorsFix: Standardized config paths to /opt/spacyserver/config/Files:
- lib/database.sh
- lib/services.sh
- lib/postfix.sh
7. Session Timeout Standardization (SECURITY ENHANCEMENT)
Problem: Admins had 60-minute timeout, superadmins had 30-minute timeoutImpact: Security
inconsistencyFix: All roles now use 30-minute timeout for consistencyFile:
openefa-files/web/app.py
---
Update InstructionsOption 1: Automatic Update (Recommended)
# Run the update script
sudo /opt/spacyserver/tools/update.sh
The update script will:
-
Automatically backup your installation-
Download v1.5.7.7 from GitHub-
Preserve all your configuration-
Restart services-
Validate everything is workingUpdate time: ~2-3 minutes
Option 2: Manual Update
# Backup first!
sudo cp -r /opt/spacyserver /opt/spacyserver-backup-$(date +%Y%m%d)
# Download and run installer
cd /tmp
git clone https://github.com/openefaadmin/openefa-installer.git
cd openefa-installer
sudo ./install.sh
---
Important NotesKnown Issue & Hotfix (v1.5.7.7.1)
If you updated to v1.5.7.7 between October 20 20:14 UTC and October 20 20:17 UTC, you may have
received a version with a CSP configuration bug causing HTTP 500 errors on the web interface.
Symptom: Web interface returns "Internal Server Error"Error in logs: TypeError: can only join
an iterable
Fix: Re-run the update script or manually apply hotfix v1.5.7.7.1:
sudo /opt/spacyserver/tools/update.sh
This has been corrected in commit e3f70ba and all new installations will have the fix.
---
Post-Update VerificationRun these commands to verify your update:
# Check version
cat /opt/spacyserver/VERSION
# Should show: VERSION=1.5.7.7
# Verify all services running
systemctl status spacyweb spacy-db-processor spacy-release-api spacy-whitelist-api
spacy-block-api
# Test web interface (should return HTTP 302 redirect to login)
curl -I https://localhost:5500 -k
# Check for CSP headers in response
# Should see: Content-Security-Policy-Report-Only header
---
Full ChangelogVersion: 1.5.7.7Released: October 20, 2025Commit: 91e3682
Modified Files (12):
- .gitignore
- VERSION
- lib/database.sh
- lib/postfix.sh
- lib/services.sh
- openefa-files/config/notification_config.json
- openefa-files/email_filter.py
- openefa-files/tools/OpenSpacyMenu
- openefa-files/web/app.py
- openefa-files/web/templates/base.html
- templates/postfix/main.cf
- templates/postfix/main.cf.template
New Documentation (6 files, 76KB):
- CHANGES_v1.5.7.7.md - Comprehensive changelog
- CSRF_PROTECTION_FIX_v1.5.7.7.md - CSRF implementation details
- CSP_IMPLEMENTATION_v1.5.7.7.md - CSP header documentation
- POSTFIX_LOOP_FIX_v1.5.7.7.md - Mail loop technical details
- DOMAIN_RELAY_FIX_v1.5.7.7.md - Domain relay configuration
- CONFIG_LOCATION_FIX_v1.5.7.7.md - Config path standardization
Total Changes: 2,865 insertions, 106 deletions
---
Need Help?Update Issues?Check backup location: /opt/spacyserver-backup-[timestamp]/View update log:
/tmp/openefa-update-[timestamp].log
Still Having Problems?
1. Check service logs: journalctl -u spacyweb -n 50
2. Verify Redis: redis-cli ping
3. Post in this thread with error details
Rollback (if needed):
sudo systemctl stop spacyweb spacy-db-processor spacy-release-api spacy-whitelist-api
spacy-block-api
sudo mv /opt/spacyserver /opt/spacyserver-failed
sudo mv /opt/spacyserver-backup-[timestamp] /opt/spacyserver
sudo systemctl start spacyweb spacy-db-processor spacy-release-api spacy-whitelist-api
spacy-block-api
---
StatisticsTotal Installations Affected: All versions prior to 1.5.7.7Security Issues Fixed: 3 (CSRF,
CSP, credential exposure)Operational Issues Fixed: 4 (mail loops, relay, config paths,
sessions)Lines of Code Changed: 2,971Testing Status: Fully tested on production systems
---
Thank YouSpecial thanks to the community for reporting these issues and to Claude Code for assisting
with the comprehensive fixes and documentation.
Questions? Reply belowFound a bug? Open an issue on GitHubSuccess story? Share your update
experience!
---
Repository: https://github.com/openefaadmin/openefa-installerLatest Commit: e3f70ba (includes
CSP hotfix)Documentation: See individual fix documentation files in the repository