Blog

Login Register

update for bash vulnerability CVE-2014-7169

The update fixes bash vulnerability CVE-2014-7169. Updated bash packages are available in all CloudLinux channels.

To update your server, please run:
$ yum clean all
$ yum update bash

update for bash remote vulnerability CVE-2014-6271

The update the fixes bash remote vulnerability CVE-2014-6271 had been fixed, and updated bash packages are available in all CloudLinux channels.

To update your server, please run:
$ yum clean all
$ yum update bash

New customer interface available in CLN

We have recently been working on improving our CLN interface. We know it is not perfect, and we are making an effort to improve it. Finally new version of UI is ready for testing. You can access it by logging in to cln.cloudlinux.com and clicking on "Try New UI" (you will be able to go back at any moment).

New UI provides access to old invoices

add allows easily to add or remove servers & licenses


Please, try it -- and give us your feedback.

Beta: LVE Manager, lve-utils, lve-stats

New version fixes an issue with lvectl service introduced in the last beta, and improves compatibility with VZ/OpenVZ/PCS deployment

Changelog:
lve-utils-1.4-31

  • LU-111: re-register lvectl service while update of lve-utils package
  • LU-110: lvectl package-list does not display EP limit correctly
  • LU-108: cldetectlib.py, cldetect: add detection of VZ/PCS/OpenVZ
lvemanager-0.8-1.45

  • LVEMAN-218 - don't display all limits when using VZ/PCS/OpenVZ in cPanel
lve-stats-0.10-38
  • LVEMAN-218 - don't display all limits when using VZ/PCS/OpenVZ
To update:
$ yum update lvemanager lve-utils lve-stats --enablerepo=cloudlinux-updates-testing

alt-php update for beta & production repositories


The changes include version updates for PHP 5.4 & 5.5. There is no other changes since this release:
http://www.cloudlinux.com/blog/clnews/533.php

Changelog:
To update production:
$ yum groupupdate alt-php
To update beta:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

Beta: IOPS, high precission CPU limits and more...


New update for CageFS, liblve, lve-utils and LVE Manager is available from our beta repository. Major changes are introduction of IO operations per second limits, high precission CPU limits (you can now setup speed precission as low as 1% of a single core, no matter how many cores) - and ability to specify the processes that needs to be in LVE / CageFS by name.

Changelog:
CageFS 5.3-1
  • CAG-315: cagefsctl --rebuild-alt-php-ini reset some parameters to defaults (bugfix)
liblve-1.3-1.3
  • LIBLVE-7: enter to cagefs by process name
  • CAG-76: added new "splitted by username" mount type in cagefs.mp
  • support of hires cpu limit
lve-utils 1.4-27
  • LU-107: add --no-iops option to lvectl, getcontrolpaneluserslimits (for backward compatibility)
  • LU-100: lvetop should display CPU usage in terms of 'speed' setting
  • LU-97: lvectl set $LVE --iops $IOPS doesn't set IOPS parameter
  • LVEMAN-109: add handling of iops and speed (for proc version to cpanel/extension/cl_modify_pkg.py
  • add ability to change lve_ext template on cpanel
  • Added lve_namespaces service to record LVE namespaces on boot
  • LU-92: fix PID column in lveps -p output
  • show command names in the COM column
  • LU-91: add lve_namespaces service
  • LU-90: getcontrolpackages fail in DirectAdmin with broken cache file
  • ALTPHP-31:MariaDB 10 support in php-selector
python-cllib 1-21
  • LU-89: add base hook lib
  • PTCLLIB-16: add validate_cpu function
  • PTCLLIB-15 fix: Add /usr/sbin/lveps to /etc/sudoers
lvemanager 0.8-1.44
  • LVEMAN-223 - Add conflicts for PHP APCu module
  • LVEMAN-222: bugfixes for LVE Manager->packages in cPanel
  • LVEMAN-161: LVE Manager for cPanel: filter reseller packages correctly
  • LVEMAN-166: remove NCPU from LVE Manager for cPanel
  • LVEMAN-217: DirectAdmin LVE Manager for /proc/lve/list 8 : incorrect column values in settings, packages
  • LVEMAN-214: use --no-iops option in lvectl commands in LVE Manager for compatibility with new lve-utils
  • LVEMAN-212 fix: Defaults values in Edit package page are incorrect for Plesk -> LVE Manager
  • LVEMAN-211 fix: Accounts page fails in Plesk
lve-stats 0.10-37
  • LVESTATS-52: Graphs for small speed values are not created
  • LVESTATS-51: lvestats-server does not work on /proc/lve/list ver 4
  • LVESTATS-50: lvestats-server: calculate cpu limit correctly for /proc/lve/list ver 8
  • LVESTATS-37: mark parameters that were exceeded by users in nootification e-mails for admin and resellers
  • LVESTATS-36: Wrong lveinfo data from MySQL on centralized server
  • LVESTATS-17: Record and manage IOPS
Update instructions:

$ yum update cagefs lvemanager lve-utils lve-stats --enablerepo=cloudlinux-updates-testing

Please, note that this update will install new kernel. Reboot is needed to enable all the new features, like high precission CPU speed limits, and IOPS.

Beta: New CL6 & C5Hybrid kernel to fix inotify memory leak - corrected updated


Last beta upgrade to 2.6.32-531.23.3.lve1.2.66 introduced a bug in LVE kmod.
New version of kmod is available.

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-72.el6 --enablerepo=cloudlinux-updates-testing
To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-72.el5h --enablerepo=cloudlinux-hybrid-testing


Don't forget to reboot your servers after update.

Beta: New CL6 & C5Hybrid kernel to fix inotify memory leak


A bug was introduced in 2.6.32-531.23.3.lve1.2.65 that causes memory leak when inotify is used.
New kernel 2.6.32-531.23.3.lve1.2.66 available that solves the issue.
KernelCare patches are also available to close memory leak without rebooting your server https://groups.google.com/forum/#!topic/kernelcare-vz/_rQtGjSJays

More info on memory leak: https://bugzilla.openvz.org/show_bug.cgi?id=3068

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-71.el6 --enablerepo=cloudlinux-updates-testing

To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-71.el5h --enablerepo=cloudlinux-hybrid-testing

KernelCare updates for CL6/5Hybrid, PCS/Virtuozzo/OpenVZ from RHEL 2.6.32-431.29.2 kernel

New patches for CL6/5Hybrid, PCS/Virtuozzo/OpenVZ kernels had been released to update them with latest security fixes from RHEL 2.6.32-431.29.2 kernel. The updates include a patch against local DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-0205, CVE-2014-3535, CVE-2014-3917, CVE-2014-4667

Details:
  • CVE-2014-0205 futex: refcount issue in case of requeue
    A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
  • CVE-2014-3535 vxlan: fix NULL pointer dereference
    A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
  • CVE-2014-3917 auditsc: audit_krule mask accesses need bounds checking
    An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made

KernelCare updates CentOS and RHEL 6 kernel to 2.6.32-431.29.2

New patches for CentOS and RHEL 6 kernels had been released to update up to 2.6.32-431.29.2. The updates include a patch against local DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update


CVEs: CVE-2014-0205, CVE-2014-3535, CVE-2014-3917, CVE-2014-4667

Details:
  • CVE-2014-0205 futex: refcount issue in case of requeue
    A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
  • CVE-2014-3535 vxlan: fix NULL pointer dereference
    A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
  • CVE-2014-3917 auditsc: audit_krule mask accesses need bounds checking
    An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.

alt-php 5.6


Latest version of alt-php 5.6 is available in our production channel. We have also released support for LSAPI 6.7 from our beta repository

Changelog for 'produciton' version:
To update:
$ yum groupupdate alt-php

Changelog for 'beta' version

  • alt-php56 - 5.6.0 (Changelog)
  • LSAPI updated to 6.7 for php5.2 to 5.6
To update:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

We need examples of lve-stats database

We are running some performance testing for next generation lve-stats, and we need real life lve-stats database, with a lot of data in it. We are interested in a database from the live, active CL6 server with 1000+ customers.

To send us the file (it will be big):
# service lvestats stop
# cp /var/lve/lveinfo.db /some_location_from_which_we_can_retrieve_it
# service lvestats start

And send me email on how we can pick up the file to [email protected]

CL6/Hybrid kernel 2.6.32-531.23.3.lve1.2.65

New kernel for CL6/Hybrid is available.

Changelog:
To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el6 kmod-lve-1.2-69.el6

To update hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el5h kmod-lve-1.2-69.el5h

No update is needed for KernelCare customers.

Xen support for CentOS 5/RHEL 5 kernels

We have added Xen support for RHEL5/CentOS 5 kernels. Kernels from
kernel-xen-2.6.18-348.16.1 to kernel-xen-2.6.18-371.11.1 are supported.

Please, follow this guide to install KernelCare on RHEL5/CentOS 5 servers:
http://www.kernelcare.com/try_it/install.php

beta: LVE Manager update for Plesk

New beta release fixes two issues with Plesk discovered in the latest version.

lvemanager-0.8-1.32.5
  • LVEMAN-212 fix: Defaults values in Edit package page are incorrect for Plesk -> Lvemanager
  • LVEMAN-211 fix: Accounts page fails in Plesk
To update:
$ yum update lvemanager --enablerepo=cloudlinux-updates-testing

Production & beta: alt-php release


New versions of alt-php were released. Production channels have PHP versions updated for PHP 5.4 & 5.5
Beta repository in addition to version upgrades, has new mysqlnd support, updated percona server support & readline support enabled

Changelog:To update production version:
$ yum groupinstall alt-php

To update from beta:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

Beta: CL6/Hybrid kernel 2.6.32-531.23.3.lve1.2.65

New beta kernel for CL6/Hybrid is available.

Changelog:
To update CL6 sservers:

$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el6 kmod-lve-1.2-69.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el5h kmod-lve-1.2-69.el5h --enablerepo=cloudlinux-updates-testing

lve-utils, cagefs and LVE Manager updated

The new release contains a number of bug fixes and minor improvements.



Changelog:
lve-utils-1.4-18.10
  • LVEMAN-200 part2: refactor code, add handling of OSError exception
  • LU-102: improve DirectAdmin detection
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LU-105: getcontrolpaneluserspackages: do not fail when user has no package assigned on Plesk
  • LVEMAN-202: LVE Manager not showing limits on Plesk when subscription is without plan
  • LU-104: crons/kill_orphaned_php-cron: do not kill /home/interworx/bin/php processes
  • LU-103: backport of LU-99 task (encoding error in lvectl on DirectAdmin, Plesk)
  • LU-98: crons/kill_orphaned_php-cron: do not kill lsphp processes
cagefs-5.2-36.3
  • increased required version of lve-utils
  • CAG-312: /usr/sbin/cpanel-compile-suexec.sh fails to rebuild suexec
  • added --force-update-etc option to help message
  • CAG-296: do not write /etc/rsyslog.d/schroot.conf file on RPM update
  • CAG-302: cagefsctl --setup-cl-selector: specify path to native php.ini (using -c option) while executing php -qm
  • CAG-308: handle ClPwd.NoSuchUserException exception
  • CAG-310: do not change permissions of /etc/cagefs/custom.etc subdirectories and files
lvemanager-0.8-1.32.3
  • LVEMAN-205 fix: backport of LVEMAN-204 task (LVE Manager in Plesk fails if package names longer then 30 symbols)
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LVEMAN-198 - Add conflicts for PHP MySQLND modules
  • LVEMAN-197 fix: LVE Manager fails on Plesk old versions
To Update:
$ yum update cagefs lvemanager lve-utils

Beta: MySQL Governor 1.0-75

New version of MySQL Governor adds MariaDB 10.0 support, and adds a number of bug fixes and improvements.

Changelog:
  • Added support for MariaDB 10.0
  • DirectAdmin: read socket options from mysql.conf
  • DirectAdmin: fix issue with user without UID in dbuser-map
  • Added request logging before restrict
  • Detect and remove percona packages on install
To update

$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

To install, follow: http://docs.cloudlinux.com/index.html?installation3.html

To switch to MariaDB 10.0
$ /usr/share/lve/dbgovernor/db-select-mysql --mysql-version=mariadb100
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install-beta

To enable request logging before restrict, change file:
/etc/container/mysql-governor.xml
set <logqueries use="before"></logqueries>
and restart governor

Beta: alt-php update

New update for alt-php is available from our beta repository

Changelog:
To update:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

KernelCare - update for PCS, Virtuozzo, OpenVZ, CentOS/RHEL/CloudLinux 6

New patches provide a fix for PSBM-27792 for all VZ kernels, as well as well as PSBM-28403 for 2.6.32-042stab092.1 to 2.6.32-042stab092.3 kernels. It brings all the kernels in line with the latest vzkernel-2.6.32-042stab083.4 kernel
CentOS/RHEL/CL 6 systems are patched against CVE-2014-2706.
Additionally, we are starting to display effective kernel number with a '+' at the end, to designate that the kernel was patched beyond latest stable kernel.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-2706

Details:
  • CVE-2014-2706 mac80211: fix AP powersave TX vs. wakeup race
    A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.
  • PSBM-27792, #2644 - ve/net/netfilter/ipset: prohibit ipset from the inside CT
    fixes netfilter Denial of service vulnerability in isset netfilter module
  • PSBM-28403, #3035 sched: fix output of vestat:idle
    /proc/vz/vestat IDLE cpu usage information was not virtualized, providing information for the whole hardware node, instead of individual container

Revised: lve-stats, lve-utils, cagefs and LVE Manager updated

[corrected Aug 18/ 2014]

This is correction for the announcement from August 14th. Only lve-stats package had been released to production. The rest of the packages were released to beta repository.

To update lve-stats, please run:
$ yum update lve-stats

To update all other packages, run:
$ yum update cagefs lvemanager lve-utils --enablerepo=cloudlinux-updates-testing

Changelog:
lve-stats-0.10-31.7
  • LVESTATS-41: statsnotify-cron is set incorrectly
  • LVESTATS-47: Added json dumping; added lve destroyer; don't print anything when destroying LVE
lve-utils-1.4-18.10
  • LVEMAN-200 part2: refactor code, add handling of OSError exception
  • LU-102: improve DirectAdmin detection
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LU-105: getcontrolpaneluserspackages: do not fail when user has no package assigned on Plesk
  • LVEMAN-202: LVE Manager not showing limits on Plesk when subscription is without plan
  • LU-104: crons/kill_orphaned_php-cron: do not kill /home/interworx/bin/php processes
  • LU-103: backport of LU-99 task (encoding error in lvectl on DirectAdmin, Plesk)
  • LU-98: crons/kill_orphaned_php-cron: do not kill lsphp processes
cagefs-5.2-36.3
  • increased required version of lve-utils
  • CAG-312: /usr/sbin/cpanel-compile-suexec.sh fails to rebuild suexec
  • added --force-update-etc option to help message
  • CAG-296: do not write /etc/rsyslog.d/schroot.conf file on RPM update
  • CAG-302: cagefsctl --setup-cl-selector: specify path to native php.ini (using -c option) while executing php -qm
  • CAG-308: handle ClPwd.NoSuchUserException exception
  • CAG-310: do not change permissions of /etc/cagefs/custom.etc subdirectories and files
lvemanager-0.8-1.32.3
  • LVEMAN-205 fix: backport of LVEMAN-204 task (LVE Manager in Plesk fails if package names longer then 30 symbols)
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LVEMAN-198 - Add conflicts for PHP MySQLND modules
  • LVEMAN-197 fix: LVE Manager fails on Plesk old versions

Beta: New CL6 and Hybrid Kernel

New beta kernel kernel-2.6.32-531.17.1.lve1.2.63 is available.

Changelog:
  • rebase to vzkernel-2.6.32-042stab092.3;
  • jbd2: drop checkpoint mutex when waiting in __jbd2_log_wait_for_space();
To update:
CL6
$ yum install kernel-2.6.32-531.20.3.lve1.2.64.el6 kmod-lve-1.2-68.el6 --enablerepo=cloudlinux-updates-testing


Hybrid:
yum install kernel-2.6.32-531.20.3.lve1.2.64.el5h kmod-lve-1.2-68.el5h --enablerepo=cloudlinux-hybrid-testing

KernelCare update for CentOS/RHEL 7, CentOS/RHEL 5, and CloudLinux hybrid kernel

CentOS/RHEL 7 kernels are patched to latest 3.10.0-123.6.3 kernel.
CentOS/RHEL 5 kernel patches were updated to correctly handle systems with aacraid devices
CloudLinux 5 hybrid kernel patches were updated to correctly handle stuck khungtask threads

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-0181, CVE-2014-2672, CVE-2014-2706, CVE-2014-4667

Details:
  • CVE-2014-0181 net: Use netlink_ns_capable to verify the permisions of netlink messages
    It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. A local, unprivileged user could potentially bypass these restrictions by passing a netlink socket as stdout or stderr to a more privileged process and altering the output of this process.
  • CVE-2014-2672 ath9k: protect tid->sched check
    It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter.
  • CVE-2014-2706 mac80211: fix AP powersave TX vs. wakeup race
    A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    The sctp_association_free function in net/sctp/associola.c in does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet.

beta: mod_lsapi 0.1-58


New beta version of mod_lsapi available.

Changelog:
  • Bugfix: fix httpd crash due to NULL server-var bug
  • Added lsapi_use_default_uid, lsapi_target_perm, lsapi_user_group & lsapi_uid_gid parameters
  • Increased default values for lsapi_backend_connect_timeout and lsapi_backend_connect_tries
  • bugfix: do not rewrite lsapi.conf on easyapache --build
To update
cPanel:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ yum update cpanel-mod-lsapi --enablerepo=cloudlinux-updates-testing

DirectAdmin:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build apache

RPM based:
$
yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$yum update mod_lsapi --enablerepo=cloudlinux-updates-testing

More info:
http://docs.cloudlinux.com/index.html?installation_mod_lsapi.html

Pages: Prev. | 1 | 2 | 3 | 4 | 5 | ... | 23 | Next