What’s new in ISPConfig 3.0.5.4p9
This release contains an important security fix for an insufficient validation of the PHP version selector.
Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched.
Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!
The fix can be applied by updating to ISPConfig 3.0.5.4p9 or by using the ISPConfig patch tool.
Use the Patch tool
Run the command:
as root user on the shell. Enter the following patch code when requested by the tool:
3054_phpversion
Use the normal ISPConfig update procedure with the ispconfig_update.sh command.
See details at the end of this post.
The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig 3.0.5.4p8.
See changelog link below for a list of all changes that are included in this release.
Download
The software can be downloaded here:
http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.4p9.tar.gz
Changelog
https://git.ispconfig.org/ispconfig/ispconfig3/milestones/50
Known Issues
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
BUG Reporting
Please report bugs to the ISPConfig bug tracking system:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
Supported Linux Distributions
– Debian Etch (4.0) – Jessie (8.0) and Debian testing
– Ubuntu 7.10 – 15.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 8
– Fedora 9 – 15
Installation
The installation instructions for ISPConfig can be found here:
http://www.ispconfig.org/ispconfig-3/documentation/
or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.
Update
To update existing ISPConfig 3 installations, run this command on the shell:
Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.
Detailed instructions for making a backup before update can be found here:
http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/
If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.
Manual update instructions
This release contains an important security fix for an insufficient validation of the PHP version selector.
Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched.
Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!
The fix can be applied by updating to ISPConfig 3.0.5.4p9 or by using the ISPConfig patch tool.
Use the Patch tool
Run the command:
Code:
ispconfig_patch
as root user on the shell. Enter the following patch code when requested by the tool:
3054_phpversion
Use the normal ISPConfig update procedure with the ispconfig_update.sh command.
See details at the end of this post.
The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig 3.0.5.4p8.
See changelog link below for a list of all changes that are included in this release.
Download
The software can be downloaded here:
http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.4p9.tar.gz
Changelog
https://git.ispconfig.org/ispconfig/ispconfig3/milestones/50
Known Issues
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
BUG Reporting
Please report bugs to the ISPConfig bug tracking system:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
Supported Linux Distributions
– Debian Etch (4.0) – Jessie (8.0) and Debian testing
– Ubuntu 7.10 – 15.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 8
– Fedora 9 – 15
Installation
The installation instructions for ISPConfig can be found here:
http://www.ispconfig.org/ispconfig-3/documentation/
or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.
Update
To update existing ISPConfig 3 installations, run this command on the shell:
Code:
ispconfig_update.sh
Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.
Detailed instructions for making a backup before update can be found here:
http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/
If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.
Manual update instructions
Code:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php