first of all - i don't want to blame anybody - it was my own fault and i am the only responsible person for this problem - but i want to tell about, maybe the installer could help me by doing backup of the configuration files.
i changed the file /root/ispconfig/isp/conf/vhost.conf.master. i added the line
because with this trick every virtual host has it's own php.ini and so i can set the tmp-dir and the open-basedir individually for each virtual host.
after doing the update to the newest version i realized that the update copies its "new" file over my "old" file and so my changes where gone. this means the openbasedir and the tmp-dir was meaningless and this opens a security hole. one again - my fault! i changed something and forgot to re change it after the update.
But maybe the installer can reate a "backup-dir" and copies the "old" files there, so that i can recopy the "old" files over then "new" ones.
the same was with the apache default-files. i changed them all to my company and after doing the update all changes where gone.
- just want to say ;-)