Skip to content

Froxlor

v2.3.7 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 19d Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 8 known CVEs

Topics

froxlor hosting php server-management webserver

Affected surfaces

auth deps

ReleasePort's take

Moderate signal
editorial:auto 9d

ReleasePort Layer 1 version 2.3.7 introduces multiple security hardenings across DNS, FTPS, SSH keys, API key generation, MySQL server validation, filesystem symlink handling, and adds Slovak localization.

Why it matters: All listed fixes carry a severity score of 50; operators should apply the update immediately to mitigate regex‑validation bypasses, control‑character injection, unauthorized shell execution, misplaced authorized_keys files, API‑key theft risks, MySQL server scope violations, and symlink resolution flaws.

Summary

AI summary

[security] Multiple security hardenings including regex validation, control character removal, shell existence check, authorized_keys path enforcement, API‑key generation protection, ownership checks, and symlink resolution.

Changes in this release

Security Medium

secured regex for Dns LOC entries validation

secured regex for Dns LOC entries validation

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

remove invalid control characters in every dns content-field

remove invalid control characters in every dns content-field

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

ensure given shell exists in Ftps.add/update

ensure given shell exists in Ftps.add/update

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

ensure authorized_keys file for SshKeys is within the customers documentroot

ensure authorized_keys file for SshKeys is within the customers documentroot

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

secure api-key generation by asking user for current password

secure api-key generation by asking user for current password

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

ensure ownership of email/emailsender in frontend when deleting emailserver

ensure ownership of email/emailsender in frontend when deleting emailserver

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

ensure given dbserver value for Mysqls.add() is within the list of allowed mysql-servers for the customer

ensure given dbserver value for Mysqls.add() is within the list of allowed mysql-servers for the customer

Source: llm_adapter@2026-05-21

Confidence: high
Security Medium

ensure a given symlink is resolved and validated correctly in FileDir::makeCorrectFile()

ensure a given symlink is resolved and validated correctly in FileDir::makeCorrectFile()

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Add Slovak language (sk)

Add Slovak language (sk)

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Bump follow-redirects from 1.15.11 to 1.16.0

Bump follow-redirects from 1.15.11 to 1.16.0

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Bump axios from 1.11.0 to 1.15.0

Bump axios from 1.11.0 to 1.15.0

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Bump phpseclib/phpseclib from 3.0.50 to 3.0.51

Bump phpseclib/phpseclib from 3.0.50 to 3.0.51

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Bump postcss from 8.5.6 to 8.5.13

Bump postcss from 8.5.6 to 8.5.13

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Add missing label for REBUILD_NSSUSERS task

Add missing label for REBUILD_NSSUSERS task

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

What's Changed

  • Bump axios from 1.11.0 to 1.15.0 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1400
  • Bump phpseclib/phpseclib from 3.0.50 to 3.0.51 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1401
  • Add missing label for REBUILD_NSSUSERS task by @lukasbableck in https://github.com/froxlor/froxlor/pull/1402
  • Bump follow-redirects from 1.15.11 to 1.16.0 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1403
  • Add Slovak language (sk) by @martinbernat in https://github.com/froxlor/froxlor/pull/1404
  • Bump postcss from 8.5.6 to 8.5.13 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1405
  • Bump phpseclib/phpseclib from 3.0.51 to 3.0.52 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1406
  • Bump axios from 1.15.0 to 1.15.2 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1407
  • [security] secured regex for Dns LOC entries validation
  • [security] remove invalid control characters in every dns content-field
  • [security] ensure given shell exists in Ftps.add/update
  • [security] ensure authorized_keys file for SshKeys is within the customers documentroot
  • [security] secure api-key generation by asking user for current password
  • [security] ensure ownership of email/emailsender in frontend when deleting emailserver
  • [security] ensure given dbserver value for Mysqls.add() is within the list of allowed mysql-servers for the customer
  • [security] ensure a given symlink is resolved and validated correctly in FileDir::makeCorrectFile()

New Contributors

  • @martinbernat made their first contribution in https://github.com/froxlor/froxlor/pull/1404

Full Changelog: https://github.com/froxlor/froxlor/compare/2.3.6...2.3.7

Security Fixes

  • [security] secured regex for Dns LOC entries validation
  • [security] remove invalid control characters in every dns content-field
  • [security] ensure given shell exists in Ftps.add/update
  • [security] ensure authorized_keys file for SshKeys is within the customers documentroot
  • [security] secure api-key generation by asking user for current password
  • [security] ensure ownership of email/emailsender in frontend when deleting emailserver
  • [security] ensure given dbserver value for Mysqls.add() is within the list of allowed mysql-servers for the customer
  • [security] ensure a given symlink is resolved and validated correctly in FileDir::makeCorrectFile()
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Froxlor

Get notified when new releases ship.

Sign up free

About Froxlor

The server administration software for your needs - The official Froxlor development Git repository

All releases →

Related context

Beta — feedback welcome: [email protected]