Important security fix where a segfault from a specific request could allow a remote attacker unauthorized access. For anyone who cannot update to this version of DirectAdmin (eg: end-of-life OS), please add: email_ftp_password_change=0 to your directadmin.conf and restart DirectAdmin. We won't be immediately commenting on the details of the bug to allow everyone time to update. Update: As some client have disabled their auto-update or have still not updated yet, to help get the message out more quickly, we've requested a CVE ID number: CVE-2017-18045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18045 ========== Related messages: RoundCube: "Could not save new password. The password changing feature has been disabled"