Version 1.685

Released: 2025-09-17

Option to select Node.js package provider custombuild new

CustomBuild configuration has a new option nodejs_provider. This option configures how to obtain the package for Node.js. It supports the following values:

  • The default value is distro. When this option is selected, Node.js will be installed from the system (Linux distribution) package repositories. The version of Node.js will depend on the Linux distribution used on the server.
  • Values nodesource-20, nodesource-22, nodesource-24 allow using packages provided by the NodeSourceopen in new window. This makes it easy to use a newer Node.js version on older systems.
  • Value custom can be used if Node.js is already installed by the server administrator by some other means. The CustomBuild will skip Node.js installation and will assume it is already installed on the server.

Support for PHP 8.5 custombuild new

CustomBuild is updated to support building PHP 8.5 on all supported systems.

Updated installation scripts for Apache mod_hostinglimits and mod_proctitle modules custombuild update

The way CustomBuild compiles and installs Apache mod_hostinglimits and mod_proctitle modules is improved. Key changes:

  • The source packages will be cached in the .../custombuild/cache directory. This means rebuilding the module again will use the cached source package.
  • Configuration files for the modules are added to the .../custombuild/configure directory. This makes it easier to customise the configuration files if needed.

Note, the Apache web server modules mod_hostinglimits and mod_proctitle are only used on CloudLinux servers.

Updated SquirrelMail installation scripts custombuild update

The SquirrelMail installer is updated. Key changes:

  • Start caching source packages.
  • Always perform s clean installation in a new directory. This ensures no leftover files from previous installations persist.

Software version changes custombuild update

  • PHP 8.5 added with 8.5.0beta3 version
  • squirrelmail_svn renamed to squirrelmail
  • squirrelmail_locale renamed to squirrelmail-locales
  • squirrel_logger renamed to squirrelmail-logger
  • csf updated from 15.00 to 15.01
  • imapsync updated from 2.229 to 2.290
  • litespeed updated from 6.3.4-4 to 6.3.4-5
  • unit updated from 1.34.2 to 1.35.0

Note: The CSF version 15.01 is a fork of the original CSF. It contains an update to the LFD service regex patterns to correctly detect failed logins for Dovecot 2.4.

Support for php_home_tmp_session_save_path option for all PHP modes update

If the php_home_tmp_session_save_path configuration option is enabled (it is enabled by default), then session.save_path will be configured to be /home/{user}/tmp for all PHP modes.

Previously php_home_tmp_session_save_path only worked in php-fpm mode.

Differentiation between added and built in entries in menu customizations evolution update

The delete icon within menu customization (located in Customize Evolution Skin -> Menu) was used for both built in and newly created entries/categories. Different icons are now used for built in and newly created entries/categories to better indicate what the action does.

Allow creation of multiple menu entries with the same name evolution fix

It is now possible to create as many new menu entries/categories with the same name. Before this, oldest menu entry used to become invisible when a new one with the same name was created.

Majordomo wrapper compilation on modern systems fix

The Majordomo (mailing list manager) wrapper binary is patched to be compatible with the modern GCC compiler. This fixes compilation problems on modern Linux systems.

Remove global default limit notice option evolution removal

It is no longer possible to select global default as an option for controlling whether notice messages are sent after approaching quota limits.

Stop accepting state-changing GET requests for CMD_API_POP command removal

The command CMD_API_POP is moved to the new security framework, which prevents performing state-changing requests with the HTTP GET method. In earlier releases there was a loophole that allowed performing actions with a GET request if the request used HTTP basic authentication.

This loophole is removed. In this release the following actions must always use the HTTP POST method:

  • /CMD_API_POP?action=all_email_sync
  • /CMD_API_POP?action=create
  • /CMD_API_POP?action=modify
  • /CMD_API_POP?action=delete
  • /CMD_API_POP?action=set_dkim

In this release only the CMD_API_POP command is affected. We are planning to harden the security of other endpoints in the future.

Last Updated: