Blog

New version of LVE Manager 0.5-70 was released to production featuring large number of bug fixes and improvements

Changelog:

• cl-selector: added option --update-backup to backup PHP settings
  
• PHP Selector: fixed module-0 does not error in Firefox 19
  
• WHM: fixed crash on attempt to reset user's settings
  
• WHM: non-relevant fields are no hidden in forms for CL5
  
• WHM: Obsolete files  removed (patches for index.html)
  
• WHM: fixed error in LVE reset parameters naming
  
• PHP Selector: correctly save user settings to home directory on update
  
• WHM: correctly show memory columns values in stats
  
• cPanel 11.36: fixed shebang string
  
• PHP Selector: use ids instead of names to select modules
  
• ISP Manager: correctly parse lvectl output
  
• WHM: Correctly aply edit forms settings
  
• WHM: fixed 'Current Usage' tab scrolling
  
• cPanel: correctly display chart on Resource Usage page
  
• cPanel: don't show table, if there is no data
  
• cPanel: fixed cpanel.config processing
  
• PHP Selector: Improved php-extensions pop-ups, notifications
  
• PHP Selector: don't show disabled PHP versions to end user
  
• DirectAdmin: Added formated output of lveps
  

lve-utils 1.2-5

• Added /usr/bin/alt-php-mysql-reconfigure to reconfigure MySQL modules for PHP Selector
  
• Added detection of DA admin user.
  
• Added PostgreSQL detection
  
• Added LiteSpeed detection
  
• Added H-Sphere deteciton
  
• SecureLinks kernel settings will be automatically updated based on control panel
  

To update:
$ yum update lvemanager lve-utils

The updates for alt-php used by PHP Selector had been moved to production repository. PHP 5.5, 5.4 & 5.3 were updated. ffmpeg-php was ported to compile on latest versions of CloudLinux.

Change Log:
Version PHP 5.5.0 Alpha 5

- Core:
  . Implemented FR #64175 (Added HTTP codes as of RFC 6585). (Jonh Wendell)
  . Fixed bug #64135 (Exceptions from set_error_handler are not always
    propagated). (Laruence)
  . Fixed bug #63830 (Segfault on undefined function call in nested generator).
    (Nikita Popov)
  . Fixed bug #60833 (self, parent, static behave inconsistently
    case-sensitive). (Stas, mario at include-once dot org)
  . Implemented FR #60524 (specify temp dir by php.ini). (ALeX Kazik).
  . Fixed bug #64142 (dval to lval different behavior on ppc64). (Remi)
  . Added ARMv7/v8 versions of various Zend arithmetic functions that are
    implemented using inline assembler (Ard Biesheuvel)

- CLI server:
  . Fixed bug #64128 (buit-in web server is broken on ppc64). (Remi)

- cURL:
  . Implemented FR #46439 - added CURLFile for safer file uploads.
    (Stas)

- Intl:
  . Cherry-picked UConverter wrapper, which had accidentaly been committed only
    to master.

- mysqli
  . Added mysqli_begin_transaction()/mysqli::begin_transaction(). Implemented all
    options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT
and ROLLBACK through options to mysqli_commit()/mysqli_rollback() and their
respective OO counterparts. They work in libmysql and mysqlnd mode. (Andrey)
  . Added mysqli_savepoint(), mysqli_release_savepoint(). (Andrey)

- mysqlnd
  . Add new begin_transaction() call to the connection object. Implemented all
    options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT
and ROLLBACK. (Andrey)
  . Added mysqlnd_savepoint(), mysqlnd_release_savepoint(). (Andrey)

- Sockets:
  . Added recvmsg() and sendmsg() wrappers. (Gustavo)
    See https://wiki.php.net/rfc/sendrecvmsg

- Filter:
  . Implemented FR #49180 - added MAC address validation. (Martin)

- SNMP:
  . Fixed bug #64124 (IPv6 malformed). (Boris Lytochkin)




Version 5.4.12

• Core:
  • Fixed bug #64099 (Wrong TSRM usage in zend_register_class alias).
    
  • Fixed bug #64011 (get_html_translation_table() output incomplete with HTML_ENTITIES and ISO-8859-1).
    
  • Fixed bug #63982 (isset() inconsistently produces a fatal error on protected property).
    
  • Fixed bug #63943 (Bad warning text from strpos() on empty needle).
    
  • Fixed bug #63899 (Use after scope error in zend_compile).
    
  • Fixed bug #63893 (Poor efficiency of strtr() using array with keys of very different length).
    
  • Fixed bug #63882 (zend_std_compare_objects crash on recursion).
    
  • Fixed bug #63462 (Magic methods called twice for unset protected properties).
    
  • Fixed bug #62524 (fopen follows redirects for non-3xx statuses).
    
  • Support BITMAPV5HEADER in getimagesize().
    
  
  

• Date:
  
• Fixed bug #63699 (Performance improvements for various ext/date functions).
  
• Fixed bug #55397 Comparsion of incomplete DateTime causes SIGSEGV.
  

• FPM:
  
• Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).
  

• Litespeed:
  
• Fixed bug #63228 (-Werror=format-security error in lsapi code).
  

• sqlite3:
  
• Fixed bug #63921 (sqlite3::bindvalue and relative PHP functions aren't using sqlite3_*_int64 API).
  

• PDO_OCI
  
• Fixed bug #57702 (Multi-row BLOB fetches).
  
• Fixed bug #52958 (Segfault in PDO_OCI on cleanup after running a long testsuite).
  

• PDO_sqlite:
  
• Fixed bug #63916 (PDO::PARAM_INT casts to 32bit int internally even on 64bit builds in pdo_sqlite).
  

Version 5.3.22

• Zend Engine:
  • Fixed bug #64099 (Wrong TSRM usage in zend_Register_class alias).
    
  • Fixed bug #63899 (Use after scope error in zend_compile).
    
  
  

• Core:
  • Fixed bug #63943 (Bad warning text from strpos() on empty needle).
    
  
  

• Date:
  • Fixed bug #55397 (comparsion of incomplete DateTime causes SIGSEGV).
    
  
  

• FPM:
  • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).
    
  
  

• SPL:
  • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).
    
  
  

Additionally we ported and added php-ffmpeg support, ported sources  and made them available at https://github.com/CloudLinux-dev/php-ffmpeg



To update: 
$ yum groupupdate alt-php

New kernel is available from our beta repositories. It is rebase to latest upstream kernel 042stab074.9 that fixes several IO related issues.

To update CL6 servers:
$ yum install kernel-2.6.32-379.22.1.lve1.2.13.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid servers:
$ yum install kernel-2.6.32-379.22.1.lve1.2.13.el5h --enablerepo=cloudlinux-hybrid-testing

New beta version of CageFS is available from our cloudlinux-updates-testing repository. It features several bug fixes and improvements.

CageFS 4.0-13 Change Log:

• Bugfix: do not overwrite custom etc files per user
  
• added PHP config files directadmin.native.conf, iworx.native.conf, ispmanager.native.conf
  
• Bugfix: cagefsctl: do not drop permissions when user has no write permission to the parent directory
  
• Bugfix: cagefs_postmodifyacct_hook.pl: update etc directory of a user
  
• Bugfix: cagefsctl: compare_etc_templates(): correctly compare symlinks
  
• Bugfix: cagefsctl --setup-cl-selector: update etc directories of users only if needed
  
• Bugfix: cagefsctl: execute shutil.copystat() after modification of template of group file in function remove_unwanted_users_from_groups()
  
• added packages libmm, freetype, freetype-devel, curl, curl-devel, libssh2, GeoIP, cyrus-sasl, ffmpeg-libs to CageFS
  
• Bugfix: cagefsctl --setup-cl-selector: do not fail on symlinks (resolve realpath)
  

liblve 4.0-13 Change Log:
- jail.c: correctly match home dirictory path against regexp when mount_base=1


To update:$ yum update cagefs --enablerepo=cloudlinux-updates-testing

New beta kernel for CloudLinux 5.x is available. It features: Kernel level SecureLinks implementation Ability to block ptrace calls from end users

To update:
$ yum install kernel-2.6.18-408.8.2.el5.lve0.8.62 --enablerepo=cloudlinux-updates-testing

Many of you are aware of SSHD exploit going around hosting comunity. It seems to affect servers running CloudLinux, CentOS & cPanel.

There are also reports of DirectAdmin, Plesk & non-RHEL based distributions being affected.
Detailed discussion can be found here: http://www.webhostingtalk.com/showthread.php?t=1235797

We believe the exploit is done via SSH server.

So far we know:

• Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
  
• It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
  

We believe this library is:

• stealing passwords, ssh keys & /etc/shadow from the system
  
• used as a backdoor to access server at any time
  
• send spam
  

We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server.
We have  noticed that once cleaned up, servers often get re-infected.

You can see if your server is infected by running:
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN'T FULLY TESTED
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

and reboot the server.

To protect against being re-infected again we recommend completely firewalling SSH from internet, allowing access only from your IP. Change your passwords for SSH, WHM and any other admin passwords you are using on that server.

New beta version of CageFS is available.

CageFS 4.0-11 changelog:

• cagefshooks.py: fixed indentation bug in function user_del_hook_install(), added better handling of exceptions
  
• RPM: execute cagefsctl --hook-install, cagefsctl --hook-remove
  
• RPM: added detection for CXS
  
• RPM: install/remove userdel.cagefs hook for Plesk compatibility
  
• cagefs_posteasyapache_hook.sh: detect if suphp is enabled
  
• RPM: increased lve-utils version (dependency)
  
• RPM: skip execution of "service cagefs restart" on upgrade of the package when not necessary
  
• RPM: minimized the number of calls of "cagefsctl --remount-all"
  
• RPM: restart proxyexec service on update of the packag
  
• Bugfix cagefsctl: do not restart proxyexec service when remounting user
  
• added support for rsyslog
  
• added config file (/etc/cl.selector/native.conf) that should specify locations of native php files for different control panels
  
• added config files cpanel.native.conf, plesk.native.conf
  
• cagefsctl: added ability to substitute php files in /etc directory (PHP Selector improvement)
  
• set current working directory (passed from wrappers) before execution of a command via proxyexec
  
• "cagefsctl --set-update-period 0" disables checking of period of update
  
• cagefs_postupcp_hook.sh: execute "cagefsctl --force-update" instead of "cagefsctl --update"
  
• cagefs_posteasyapache_hook.sh: update cagefs-skeleton after execution of EasyApache
  
• binutils.cfg: added /usr/bin/GET
  
• cagefsctl: disable CageFS automatically while execution of "cagefsctl --reinit" in order to prevent error 500
  
• added default packages to CageFS: ghostscript, fontconfig, fontpackages-filesystem, perl-Text-PDF, pdf-tools, perl-PDF-Reuse
  

lve-utils 1.2.2 changelog

• cldetect: added mod_suphp check for  cPanel.
  
• cldetect: added CXS detection
  
• cldetect: added script to detect and return control panel and its version
  
• removed getcontrolpanel.py
  

To update:
$ yum update cagefs lve-utils --enablerepo=cloudlinux-updates-testing

We will be performing updates to our helpdesk system between 3am and 5am EST. It might be unavailable during that time period.

Sorry for the inconvenience.

The new version of LVE manager provides better cPanel 11.36 integration, 

Changelog for lvemanager 0.5-63:

• cPanel: fixed form layouts for various browsers by basing forms layout on tables to prevent field overlap
  
• cPanel: fixed shebang string to support cPanel 11.36
  
• cPanel: fixed end user PHP selector javascript that could fail in some cases due to using names instead of element ids
  
• cl-selector: added extension sorting on output
  
• cl-selector: added ability to determine PHP version selected by end user
  

To update:
$ yum update lvemanager --enablerepo=cloudlinux-updates-testing

New beta version of LVE Manager is available. It features number of bug fixes and improvements for cPanel & PHP Selector.


Changelog for lvemanager-0.5-61

• cPanel 11.36 support
  
• Improved PHP selector interface
  
• Fixed issues with LVE Manager layout when scaling browser window
  
• Disabled PHP versions removed from PHP Selector list
  
• cl-selector tools rewritten for better reliability
  

To update CL5 servers:
$ yum update lvemanager-0.5-61.el5 --enablerepo=cloudlinux-updates-testing

To update CL6 servers:
$ yum update lvemanager-0.5-61.el6 --enablerepo=cloudlinux-updates-testing

New beta kernel fixes a rare bug in memory subsystem that was affecting all CloudLinux kernel versions starting with lve1.1.9. The bug can cause kernel panic affected kernels.

The kernel is based on 2.6.32-379.19.1.lve1.2.6.el6 kernel.


To update CL6 servers:
 # yum install kernel-2.6.32-379.19.1.lve1.2.7.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid servers:
# yum install kernel-2.6.32-379.19.1.lve1.2.7.el5h --enablerepo=cloudlinux-hybrid-testing