Blog

Login Register

Beta: Updated version of OptimumCache released

OptimumCache 0.2-5 is available from our updates-testing repository.

Changelog:

- fixed version number in "service optimumcache version" command output;
- added command NOIMMSYNC=1 (enabled by default in file /etc/sysconfig/optimumcache) for eliminating frequent sync to address IO performance.

To update run:
# yum update optimumcache --enablerepo=cloudlinux-updates-testing
if IO Wait is high on the server, in this case add NOIMMSYNC=1 to /etc/sysconfig/optimumcach and restart optimumcache

To install run:
# yum update optimumcache --enablerepo=cloudlinux-updates-testing

More information at: [url=http://docs.cloudlinux.com/index.html?optimumcache.html

KernelCare: Patches for CentOS/RHEL/CloudLinux 6 and PCS/Virtuozzo/OpenVZ kernels

[This patchset was re-released on Oct 21st with a fix for people running e1000e cards]

CentOS/RHEL/CloudLinux 6 kernels, as well as PCS/Virtuozzo/OpenVZ and CloudLinux 5 hybrid kernels were patched against multiple vulnerabilities fixed in RHEL 2.6.32-504 kernel.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-4608, CVE-2014-3122, CVE-2013-2596, CVE-2014-5045

Details:
  • CVE-2014-4608 lzo1x_decompress_safe() integer overflow
    The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen.
  • CVE-2014-3122 mm: try_to_unmap_cluster() should lock_page() before mlocking
    It was found that the try_to_unmap_cluster() function in the Linux kernel's Memory Managment subsystem did not properly handle page locking in certain cases, which could potentially trigger the BUG_ON() macro in the mlock_vma_page() function. A local, unprivileged user could use this flaw to crash the system.
  • CVE-2013-2596 integer overflow in fb_mmap
    An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.
  • CVE-2014-5045 vfs: refcount issues during unmount on symlink
    A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation.

Alt-PHP update for beta & production

Beta and production versions of alt-php 5.6 were updated to version 5.6.1.

The beta version applies to the following beta release:
http://www.cloudlinux.com/blog/clnews/557.php

Changelog:
To update for beta run:
yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

To update for production run:
yum groupupdate alt-php

Beta: OptimumCache 0.2


New version of OptimumCache 0.2 is available from our updates-testing repository.
New OptimumCache is able to exclude folders (like mail) from caching and provides a tool for Ploop management.

Exclude folders from caching
Exclude folders from caching prevents extra work of processor on caching needless directories. You can check list of folders that will be be excluded from caching in this version by running:

# occtl --list-skip-mask

The list of regex (POSIX Extended Regular Expressions) will be shown. If you would like to make changes here, do it via 'occtl --add-skip-mask/--remove-skip-mask' or by editing manually files in /etc/container/optimumcache/ignore.d/

For your changes to skip masks to take effect system wide, run ‘occtl --check’. That operation might be time consuming, that depends on size of what have been marked for caching before. You might even consider scheduling this operation via 'batch' command.

Tool for Ploop management
Ploop is available for kernels lve1.2.55 and higher.
New version of OptimumCache provides new tool for simplification of ploop management. Ploop has been present in OptimumCache since version 0.1-20. If you have installed version prior 0.1-19 and then upgraded to higher version, ploop is not is use by default. The command to turn it on:

# occtl --init-ploop

In this release we’ve got some new commands for Ploop. You might find these useful.

Moving ploop image to another location:
# occtl --move-ploop /path/to/new/image/file [size[KMGT]]
# rm -rf /path/to/old/ploop/image/file

Resizing:
# occtl --resize-ploop new_size[KMGT]

Disabling ploop, and using partition instead:
# occtl --disable-ploop

or to revert back:
# occtl --enable-ploop

Ploop is mounted automatically at service start. No need to create mount point in /etc/fstab.

More information at: http://docs.cloudlinux.com/index.html?optimumcache.html

To update
# yum update optimumcache --enablerepo=cloudlinux-updates-testing

To install
# yum update optimumcache --enablerepo=cloudlinux-updates-testing

KernelCare support for CloudLinux 5.x

KernelCare support for CloudLinux 5 is available now (64bit only). Kernels from 2.6.18-448.16.1.lve0.8.70.el5 to 2.6.18-498.lve0.8.77.el5 are supported.

Beta: alt-php updated

Multiple updates for alt-php in our beta repository:

Changelog:
  • added alt-firebird package;
  • added firebird/interbase extensions;
  • added APCu extension;
  • updated PECL extensions:
  • yaf updated to 2.3.2;
  • mongo updated to 1.5.7;
  • ZendOpcache updated to 7.0.3;
  • xdebug updated to 2.2.5;
  • timezonedb updated to 2014.7;
  • igbinary updated to 1.2.1;
  • doublemetaphone to 1.0.1.
To update run:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

Beta: CL6/Hybrid kernel 2.6.32-531.23.3.lve1.3.6

New kernel for CL6/Hybrid available from our beta repository. The kernel provides major updates and set of new features over lve-1.2. As such the version was increased to lve 1.3.x.

Changelog:
  • high precision CPU limits (precision of 1% of a core speed is possible);
  • IOPS limit support;
  • LVE/CageFS support by process name;
  • fixes for the issue with off by 1 load average introduced in previous beta kernel.
Put loadavg thread into interruptible sleep

To update CL6 servers run:
$ yum install kernel-2.6.32-531.23.3.lve1.3.6.el6 lve-kmod-1.3-6.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid servers run:
$ yum install kernel-2.6.32-531.23.3.lve1.3.6.el5h lve-kmod-1.3-6.el5h --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing

Beta: CageFS, LVE Manager, LVE Stats, LVE Utils updated

New versions of cagefs 5.3-2, lvemanager 0.8-1.47, lve-utils 1.4-32, lve-stats 0.10-39, python-cllib 1.1-2 are available from our updates-testing repository.

Changelog:

cagefs 5.3-2
  • CAG-322: the error while installing CGI Wrapper for Plesk fixed.
lvemanager 0.8-1.47
  • LVEMAN-228: number fields outputted coincide with quantity of columns;
  • LVEMAN-227: 'SPEED' column header in cPanel now contains “%” sign;
  • LVEMAN-226: 'submit' tag input fixed in Resource Usage page on cPanel;
  • LVEMAN-226: DirectAdmin: Fix for LVE Manager error on LVE v8;
  • LVEMAN-225: Plesk: Fix for LVE Manager error on LVE v8.
lve-stats 0.10-39
  • LVESTATS-54: the typo in lveinfo json reply fixed.
lve-utils 1.4-32
  • LU-109: settings for /proc/lve/enter are now stored in /etc/container/ve.cfg.
python-cllib 1.1-2
  • python-simplejson added as dependency;
  • PTCLLIB-18: a universal API for control panel integration was provided, general use functions added in python-cllib;
  • added ability to save changes to config files in python library;
  • added ability to read config file with case sensitivity;
  • PTCLLIB-17: class for logging was added.
To update:
$ yum update lvemanager lve-utils lve-stats --enablerepo=cloudlinux-updates-testing

Beta: New CloudLinux 5 Kernel 2.6.18-498.el5.lve0.8.77

New CloudLinux 5 kernel is available from our beta repository.

Changelog:
To update:
$ yum install kernel-2.6.18-498.el5.lve0.8.77 --enablerepo=cloudlinux-updates-testing

Beta: Better fix for Shellshock bash vulnerability

As shellshock vulnerability keeps giving, we were working on protecting our customers with something more durable then a band aid patches.

The problem with shellshock is that bash allows function imports via environmental variables. It tries to parse them, and even execute them. As bash parser is complex and not bullet proof -- more and more vulnerabilities are being found. Some of them being reported as dangerous as the first one.

After careful considerations we decided to go in the way OpenBSD & FreeBSD already took, and disable function imports via environmental variables by default.
It might break some scripts that rely on that, but our hope is that none of those scripts run in a typical shared hosting environment.

We are yet to push updated bash packages into production repository. For now they are available only from our beta repository. As we collect more feedback from our customers (or in case another dangerous exploit will become public) - we will push this version of bash to production channels.

To update:
$ yum update bash --enablerepo=cloudlinux-updates-testing

If you still need to use importing of functions using environment variables, you can run bash with --import-functions flag:
$ bash --import-functions

New CL6 & C5Hybrid kernel to fix inotify memory leak

Kernel 2.6.32-531.23.3.lve1.2.66 that fixes inotify memory leak had been moved to production

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-72.el6
To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-72.el5h

If you are using KernelCare, no updates are necessary. Your server was already patched.

Multiple KernelCare updates

New patches had been release for multiple kernels:
  • Support for latest CL6/CL5 hybrid kernel 2.6.32-531.23.3.lve1.2.66
  • patches for CL5 hybrid kernel were re-compiled to ignore do_signal_stop symbol
  • CentOS5/RHEL5 patches were recompiled to ignore tcp_recvmsg symbol
  • CVE-2014-5077 patch was added for RHEL6/CentOS6 2.6.32-431.23.3, 2.6.32-431.29.2 and PCS/OpenVZ/Virtuozzo 042stab093.4 kernels
  • PSBM-25929 fix for ext4: Add ioctl EXT4_IOC_SET_RSV_BLOCKS v2 was added for PCS/OpenVZ/Virtuozzo 042stab090.x kernels
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-5077

Details:
  • CVE-2014-5077 net: SCTP: NULL pointer dereference
    Linux kernel built with the support for Stream Control Transmission Protocol (CONFIG_IP_SCTP) is vulnerable to a NULL pointer dereference flaw. It could occur when simultaneous new connections are initiated between a same pair of hosts.
    A remote user/program could use this flaw to crash the system kernel resulting in DoS.

update for bash vulnerability CVE-2014-7169

The update fixes bash vulnerability CVE-2014-7169. Updated bash packages are available in all CloudLinux channels.

To update your server, please run:
$ yum clean all
$ yum update bash

update for bash remote vulnerability CVE-2014-6271

The update the fixes bash remote vulnerability CVE-2014-6271 had been fixed, and updated bash packages are available in all CloudLinux channels.

To update your server, please run:
$ yum clean all
$ yum update bash

New customer interface available in CLN

We have recently been working on improving our CLN interface. We know it is not perfect, and we are making an effort to improve it. Finally new version of UI is ready for testing. You can access it by logging in to cln.cloudlinux.com and clicking on "Try New UI" (you will be able to go back at any moment).

New UI provides access to old invoices

add allows easily to add or remove servers & licenses


Please, try it -- and give us your feedback.

Beta: LVE Manager, lve-utils, lve-stats

New version fixes an issue with lvectl service introduced in the last beta, and improves compatibility with VZ/OpenVZ/PCS deployment

Changelog:
lve-utils-1.4-31

  • LU-111: re-register lvectl service while update of lve-utils package
  • LU-110: lvectl package-list does not display EP limit correctly
  • LU-108: cldetectlib.py, cldetect: add detection of VZ/PCS/OpenVZ
lvemanager-0.8-1.45

  • LVEMAN-218 - don't display all limits when using VZ/PCS/OpenVZ in cPanel
lve-stats-0.10-38
  • LVEMAN-218 - don't display all limits when using VZ/PCS/OpenVZ
To update:
$ yum update lvemanager lve-utils lve-stats --enablerepo=cloudlinux-updates-testing

alt-php update for beta & production repositories


The changes include version updates for PHP 5.4 & 5.5. There is no other changes since this release:
http://www.cloudlinux.com/blog/clnews/533.php

Changelog:
To update production:
$ yum groupupdate alt-php
To update beta:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

Beta: IOPS, high precission CPU limits and more...


New update for CageFS, liblve, lve-utils and LVE Manager is available from our beta repository. Major changes are introduction of IO operations per second limits, high precission CPU limits (you can now setup speed precission as low as 1% of a single core, no matter how many cores) - and ability to specify the processes that needs to be in LVE / CageFS by name.

Changelog:
CageFS 5.3-1
  • CAG-315: cagefsctl --rebuild-alt-php-ini reset some parameters to defaults (bugfix)
liblve-1.3-1.3
  • LIBLVE-7: enter to cagefs by process name
  • CAG-76: added new "splitted by username" mount type in cagefs.mp
  • support of hires cpu limit
lve-utils 1.4-27
  • LU-107: add --no-iops option to lvectl, getcontrolpaneluserslimits (for backward compatibility)
  • LU-100: lvetop should display CPU usage in terms of 'speed' setting
  • LU-97: lvectl set $LVE --iops $IOPS doesn't set IOPS parameter
  • LVEMAN-109: add handling of iops and speed (for proc version to cpanel/extension/cl_modify_pkg.py
  • add ability to change lve_ext template on cpanel
  • Added lve_namespaces service to record LVE namespaces on boot
  • LU-92: fix PID column in lveps -p output
  • show command names in the COM column
  • LU-91: add lve_namespaces service
  • LU-90: getcontrolpackages fail in DirectAdmin with broken cache file
  • ALTPHP-31:MariaDB 10 support in php-selector
python-cllib 1-21
  • LU-89: add base hook lib
  • PTCLLIB-16: add validate_cpu function
  • PTCLLIB-15 fix: Add /usr/sbin/lveps to /etc/sudoers
lvemanager 0.8-1.44
  • LVEMAN-223 - Add conflicts for PHP APCu module
  • LVEMAN-222: bugfixes for LVE Manager->packages in cPanel
  • LVEMAN-161: LVE Manager for cPanel: filter reseller packages correctly
  • LVEMAN-166: remove NCPU from LVE Manager for cPanel
  • LVEMAN-217: DirectAdmin LVE Manager for /proc/lve/list 8 : incorrect column values in settings, packages
  • LVEMAN-214: use --no-iops option in lvectl commands in LVE Manager for compatibility with new lve-utils
  • LVEMAN-212 fix: Defaults values in Edit package page are incorrect for Plesk -> LVE Manager
  • LVEMAN-211 fix: Accounts page fails in Plesk
lve-stats 0.10-37
  • LVESTATS-52: Graphs for small speed values are not created
  • LVESTATS-51: lvestats-server does not work on /proc/lve/list ver 4
  • LVESTATS-50: lvestats-server: calculate cpu limit correctly for /proc/lve/list ver 8
  • LVESTATS-37: mark parameters that were exceeded by users in nootification e-mails for admin and resellers
  • LVESTATS-36: Wrong lveinfo data from MySQL on centralized server
  • LVESTATS-17: Record and manage IOPS
Update instructions:

$ yum update cagefs lvemanager lve-utils lve-stats --enablerepo=cloudlinux-updates-testing

Please, note that this update will install new kernel. Reboot is needed to enable all the new features, like high precission CPU speed limits, and IOPS.

Beta: New CL6 & C5Hybrid kernel to fix inotify memory leak - corrected updated


Last beta upgrade to 2.6.32-531.23.3.lve1.2.66 introduced a bug in LVE kmod.
New version of kmod is available.

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-72.el6 --enablerepo=cloudlinux-updates-testing
To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-72.el5h --enablerepo=cloudlinux-hybrid-testing


Don't forget to reboot your servers after update.

Beta: New CL6 & C5Hybrid kernel to fix inotify memory leak


A bug was introduced in 2.6.32-531.23.3.lve1.2.65 that causes memory leak when inotify is used.
New kernel 2.6.32-531.23.3.lve1.2.66 available that solves the issue.
KernelCare patches are also available to close memory leak without rebooting your server https://groups.google.com/forum/#!topic/kernelcare-vz/_rQtGjSJays

More info on memory leak: https://bugzilla.openvz.org/show_bug.cgi?id=3068

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-71.el6 --enablerepo=cloudlinux-updates-testing

To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-71.el5h --enablerepo=cloudlinux-hybrid-testing

KernelCare updates for CL6/5Hybrid, PCS/Virtuozzo/OpenVZ from RHEL 2.6.32-431.29.2 kernel

New patches for CL6/5Hybrid, PCS/Virtuozzo/OpenVZ kernels had been released to update them with latest security fixes from RHEL 2.6.32-431.29.2 kernel. The updates include a patch against local DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-0205, CVE-2014-3535, CVE-2014-3917, CVE-2014-4667

Details:
  • CVE-2014-0205 futex: refcount issue in case of requeue
    A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
  • CVE-2014-3535 vxlan: fix NULL pointer dereference
    A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
  • CVE-2014-3917 auditsc: audit_krule mask accesses need bounds checking
    An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made

KernelCare updates CentOS and RHEL 6 kernel to 2.6.32-431.29.2

New patches for CentOS and RHEL 6 kernels had been released to update up to 2.6.32-431.29.2. The updates include a patch against local DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update


CVEs: CVE-2014-0205, CVE-2014-3535, CVE-2014-3917, CVE-2014-4667

Details:
  • CVE-2014-0205 futex: refcount issue in case of requeue
    A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
  • CVE-2014-3535 vxlan: fix NULL pointer dereference
    A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
  • CVE-2014-3917 auditsc: audit_krule mask accesses need bounds checking
    An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.

alt-php 5.6


Latest version of alt-php 5.6 is available in our production channel. We have also released support for LSAPI 6.7 from our beta repository

Changelog for 'produciton' version:
To update:
$ yum groupupdate alt-php

Changelog for 'beta' version

  • alt-php56 - 5.6.0 (Changelog)
  • LSAPI updated to 6.7 for php5.2 to 5.6
To update:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

We need examples of lve-stats database

We are running some performance testing for next generation lve-stats, and we need real life lve-stats database, with a lot of data in it. We are interested in a database from the live, active CL6 server with 1000+ customers.

To send us the file (it will be big):
# service lvestats stop
# cp /var/lve/lveinfo.db /some_location_from_which_we_can_retrieve_it
# service lvestats start

And send me email on how we can pick up the file to [email protected]

CL6/Hybrid kernel 2.6.32-531.23.3.lve1.2.65

New kernel for CL6/Hybrid is available.

Changelog:
To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el6 kmod-lve-1.2-69.el6

To update hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el5h kmod-lve-1.2-69.el5h

No update is needed for KernelCare customers.

Pages: Prev. | 1 | 2 | 3 | 4 | 5 | ... | 23 | Next