ISPConfig 3.0.5.4p9 released

Discussion in 'ISPConfig Announcements' started by till, Mar 29, 2016.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    What’s new in ISPConfig 3.0.5.4p9
    This release contains an important security fix for an insufficient validation of the PHP version selector.

    Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched.

    Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!

    The fix can be applied by updating to ISPConfig 3.0.5.4p9 or by using the ISPConfig patch tool.

    Use the Patch tool
    Run the command:

    Code:
    ispconfig_patch
    as root user on the shell. Enter the following patch code when requested by the tool:

    3054_phpversion

    Use the normal ISPConfig update procedure with the ispconfig_update.sh command.
    See details at the end of this post.

    The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig 3.0.5.4p8.

    See changelog link below for a list of all changes that are included in this release.

    Download
    The software can be downloaded here:

    http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.4p9.tar.gz

    Changelog
    https://git.ispconfig.org/ispconfig/ispconfig3/milestones/50

    Known Issues
    Please take a look at the bug tracker:

    https://git.ispconfig.org/ispconfig/ispconfig3/issues

    BUG Reporting
    Please report bugs to the ISPConfig bug tracking system:

    https://git.ispconfig.org/ispconfig/ispconfig3/issues

    Supported Linux Distributions
    – Debian Etch (4.0) – Jessie (8.0) and Debian testing
    – Ubuntu 7.10 – 15.10
    – OpenSuSE 11 – 13.2
    – CentOS 5.2 – 8
    – Fedora 9 – 15

    Installation
    The installation instructions for ISPConfig can be found here:

    http://www.ispconfig.org/ispconfig-3/documentation/

    or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.

    Update
    To update existing ISPConfig 3 installations, run this command on the shell:

    Code:
    ispconfig_update.sh
    Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.

    Detailed instructions for making a backup before update can be found here:

    http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/

    If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.

    Manual update instructions
    Code:
    cd /tmp
    wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    tar xvfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install
    php -q update.php
     
    Aivaras and edge like this.
  2. bompax

    bompax New Member

    thank you will put it on.
     
  3. edge

    edge Active Member Moderator

    Thank you.
     
  4. GuillaumeIDPZ

    GuillaumeIDPZ New Member

    Hello,
    Code:
    >> Patch tool
    
    Please enter the patch id that you want to be applied to your ISPConfig installation.
    Please be aware that we take NO responsibility that this will work for you.
    Only use patches if you know what you are doing.
    
    Enter patch id: 3054_phpversion
    
    Invalid patch id.
    Thanks
     
  5. GuillaumeIDPZ

    GuillaumeIDPZ New Member

    it's ok now, thanks :)
     
  6. onastvar

    onastvar Member

    Is patch p9 recommended for single server system?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Each single server runs an ispconfig interface.
     
    onastvar likes this.
  8. onastvar

    onastvar Member


    I ran ispconfig_patch
    >> Patch tool
    Please enter the patch id that you want to be applied to your ISPConfig installation.
    Please be aware that we take NO responsibility that this will work for you.
    Only use patches if you know what you are doing.

    Enter patch id: 3054_phpversion

    Patch description:
    --------------------------------------------------------------------------------
    This patch fixes an insufficient validation of the PHP version selector.

    --------------------------------------------------------------------------------
    Do you really want to apply this patch now? (y,n) [y]: y

    patching file interface/web/sites/web_aliasdomain_edit.php
    patching file interface/web/sites/web_domain_edit.php
    patching file interface/web/sites/web_subdomain_edit.php
    patching file interface/web/sites/web_vhost_subdomain_edit.php
    root@:~# /etc/init.d/apache2 restart
    [ ok ] Restarting web server: apache2 ... waiting .


    ISPConfig Version: 3.0.5.4p8 stilll shows p8 instead of p9, do I need to restart anything else besides apache?
     
  9. robotto7831a

    robotto7831a New Member

    No. The patch only fix the issue but it doesn't increase the Version number. You must edit the file /usr/local/ispconfig/interface/lib/config.inc.php manually to increase the version.
     
    till likes this.
  10. onastvar

    onastvar Member

    What's the point of calling the patch p9 which doesn't automatically update ISPConfig version number.
     
  11. Jesse Norell

    Jesse Norell Active Member

    It appears the patch is called '3054_phpversion', the ispconfig release is p9. You didn't install the p9 release, you applied a single patch; in this case you started from p8 and that was the only change, so it should be the same as the p9 version. If someone else were running an older ispconfig release, they could presumably apply this same patch to fix this specific bug, but not get all the other interim changes, so they would not have the same code as p9.
     
    till likes this.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    I see the confusion that it causes when we provide a patch as aletrnate method to fix an issue. I guess we should stop providing patches at all so that everyone has to replace all files in his ispconfig setup with a full update even if there is just a single affected file.
     
  13. robotto7831a

    robotto7831a New Member

    I think the problem is not the patch. There is a confusion when someone patch the version but the control panel show a warning for an old version. When you increase the version number then don't release a patch. In other cases a patch is useful.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    This would mean that we would have to modify silently the code in the released ispconfig.tar.gz without altering the version number as we can not deliver a vulnerable version and altering released code without a sign that it was altered is a bad practice. And the other way round, we can not alter the version number as part of the patch as this would mean that if someone applies it to e.g. p5 and then it will show p9 but indeed he has not p9 as all intermediate changes are missing. So if someone wants a patch in future, he will have to diff the versions himself and build his own patch.
     
  15. robotto7831a

    robotto7831a New Member

    I think there are two cases.

    1. There is a problem e.g. create ftp user will failed. You fix this problem in the master branch and you release a patch. You don't increase the version number. If someone has this issue he can apply the patch and everything is fine.

    2. There is another issue. You will fix this problem in the master branch and you will increase the version number. This this case you must relase a full version. When you release also a patch then the confusion will start again.

    On the other side there is another case. If someone uses version e.g. p5. If he apply the full version he will migrate to the newest version. But if he don't want the newest version for whatever reasons he have to apply the patch. But how they now they can apply the patch on there old version?

    So when you release a new version e.g. p10 then all users from p9 have to use the full upgrade.

    If someone use an older version then he have to apply the patch. And he will see a version warning on the control panel.

    Summary:
    issue with no new version number -> patch
    issue with new version number -> full upgrade
    issue with new version number but the user use an older version of ISPConfig -> patch (if possible)
     
  16. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    As till said: What we learn from this is, why should we make any affort in creating further patches? From now on it's up to the user to create a patch if he doesn't want to update to the next full patch-release. That's it.
     
  17. aba

    aba New Member

    Thanks for the release.
     
  18. lollollollol

    lollollollol Member

    Upgrade to p9 done on my servers.
    No problems!

    Thank you.
     

Share This Page