New versions of Alt-PHP ionCube Loader are available from our updates-testing repository.
alt-php44-ioncube-loader (Cloud Linux 5/6)
alt-php51-ioncube-loader (Cloud Linux 5/6/7)
alt-php52-ioncube-loader (Cloud Linux 5/6/7)
alt-php53-ioncube-loader (Cloud Linux 5/6/7)
alt-php54-ioncube-loader (Cloud Linux 5/6/7)
alt-php55-ioncube-loader (Cloud Linux 5/6/7)
alt-php56-ioncube-loader (Cloud Linux 5/6/7)
ionCube Loader updated to version 4.7.5;
fixed loader crash on PHP 5.5 and PHP 5.6 if a call to eval() contained invalid code;
fixed Serializable interface class implementation for the __sleep and __wakueup functions.
New versions of OptimumCache (version 0.2-25) and cloudlinux-collect (version 0.1-4) with fresh fixes are available from our updates-testing repository.
prevented 'occtl --check' going into recursion with symlinks;
load only ploop modules from vzctl-core package to prevent cPanel initiating quotas.
For clients faced cPanel initiating quotas problem the only solution is server reboot after OptimumCache package upgrade. After reboot try to initiate cPanel quotas. The reboot appears to be the only way to unload undesirable ‘vzdquota’ kernel module.
fix for incomplete stats when 'optimumcache stat' issues a message to stderr;
run ‘optimumcache stat’ within LVE considering the same limits as for ‘occtl --check’, ‘occtl --mark-dir’ commands;
CageFS (version 5.3-11), liblve (version 1.3-1.8 ), bsock (version 0.09-5) and lve-utils (version 1.4-36) are updated for CloudLinux 5 and CloudLinux 6 and are available from our updates-testing repository.
CAG-359: changed start number of cagefs service from 12 to 29 for new cagefs installations only;
CAG-352: added "cleaning" of config directories to cronjob and userdel hook (removing config files of non-existing users);
CAG-329: domain mount points are not lost when system user renamed from Plesk panel;
CAG-320: PHP Selector settings are not lost after transfer of accounts in DirectAdmin;
CAG-330: put processes executed via proxyexec into LVE;
CAG-313: made CageFS configuration directories and files not readable for regular users (permissions corrected);
CAG-333: process duplicates UIDs correctly in cagefs.server;
CAG-347: proxyexec socket directory moved from /var/run/proxyexec/cagefs.sock to /var/lib/proxyexec/cagefs.sock.
LIBLVE-8: improved security of pivot_root scheme.
proxyexec socket directory moved from /var/run/proxyexec/cagefs.sock to /var/lib/proxyexec/cagefs.sock.
LU-124: lvectl detects its function on install normally;
LU-114: /usr/bin/alt-php-mysql-reconfigure moved to alt-php-conf package;
LU-122: "mount --make-rprivate /" command added to lve_namespaces service;
LU-116: processpaneluserspackages run normally;
LU-113: kill_orphaned_php-cron job disabled with special config.
To update run:
yum update cagefs --enablerepo=cloudlinux-updates-testing
Note: if you use alt-php packages, please execute:
yum update alt-php-config --enablerepo=cloudlinux-updates-testing
The rmemory hardware issue "Rowhammer" was recently discovered to allows privileged escalation. The issue can be mitigated (at least in its current form) by preventing user from reading /proc/$(pid)/pagemap, /proc/kpageflags, /proc/kpagecount files. Yet, this protection is not available from RedHat, CentOS, Parallels. It is not available as part of CloudLinux OS kernel as well. The reason is that this protection will not prevent only current implementation of the attack. Forcing customers to reboot to install new kernel, just to release a new kernel a week later is something most OS vendors don't want to do.
KernelCare with its ability to patch kernel on the fly is perfectly suited to protect against such issues. We can update the kernel & fix security issues without the need for the reboot. This gives us unique opportunity to patch & mitigate potential 'rowhammer' attacks within days, as they come.
Today we have released patches for RHEL, CentOS, CloudLinux 6 & PCS/VZ/OpenVZ that protects against Rowhammer related exploit. Debian, Ubuntu & RHEL/CentOS 7 patches will be released tomorrow.