ispCP - Board - Support
"Official" VHCS 2.4.8 security update? - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: General discussion (/forum-11.html)
+--- Thread: "Official" VHCS 2.4.8 security update? (/thread-6393.html)



"Official" VHCS 2.4.8 security update? - karlmikaze - 04-14-2009 04:56 PM

Hi folks,

I just ran across a VHCS security update on freshmeat: http://freshmeat.net/projects/vhcs

The fixed and updated version can be downloaded at http://server5.moll-newmedia.de/ - without any further notice about what was fixed/changed, so we are in an information-less situation, as usual...
Furthermore, the changelog states a lot of functional changes and fixes that were done between 2006-01-03 (release date of 2.4.7.1) and now...great Sad

Does anyone know anything more than "This release fixes a big security hole. Some included software, such as phpmyadmin, was updated"?

We unfortunately cannot upgrade to ispCP on some servers, yet, so we will definitely need to find out what's going on.

Let's get this straightened out together.

Cheers and thanks for your comments
Chris

P.S.: I know, this isn't the place to discuss VHCS issues, but where else in the web are so many plagued (former) VHCS admins gathered...?


RE: "Official" VHCS 2.4.8 security update? - BeNe - 04-14-2009 05:06 PM

Sorry, but WE support no VHCS here. So i´m not sure if anybody here knows more than you.
Quote:without any further notice about what was fixed/changed, so we are in an information-less situation, as usual...
There is a ChangeLog --> http://server5.moll-newmedia.de/CHANGELOG

Greez BeNe


RE: "Official" VHCS 2.4.8 security update? - karlmikaze - 04-14-2009 05:13 PM

Hi BeNe,
and thanks for answering.

(04-14-2009 05:06 PM)BeNe Wrote:  Sorry, but WE support no VHCS here. So i´m not sure if anybody here knows more than you.

Sure, that's why I just added my "P.S." before I read your answer. But there are tons of people around here that cannot (for some reasons) upgrade to ispCP yet, but do have quite some knowledge of VHCS.
Do you have any suggestion (another forum site or sth., the usual discussion sites are completely out of date or 404) on where to better discuss this?

Quote:There is a ChangeLog --> http://server5.moll-newmedia.de/CHANGELOG

Yes, and it states exactly nothing on the security problem.

Cheers
Chris


RE: "Official" VHCS 2.4.8 security update? - BeNe - 04-14-2009 05:53 PM

Quote:Sure, that's why I just added my "P.S." before I read your answer.
Sorry, i did not saw it Smile
Quote:Yes, and it states exactly nothing on the security problem.
Maybe they mean the security issues in PMA ?
You can also try to diff the new Version with yours to see the changes.
Or you have to update blind to this Version. Sad

Greez BeNe


RE: "Official" VHCS 2.4.8 security update? - karlmikaze - 04-14-2009 06:21 PM

(04-14-2009 05:53 PM)BeNe Wrote:  Maybe they mean the security issues in PMA ?
You can also try to diff the new Version with yours to see the changes.

That's what we might have to do. But there were lots of changes that weren't related to the security problem, so this might be a rather tedious job.
I contacted Moll Media Support and will wait for some reaction first, though.

(04-14-2009 05:53 PM)BeNe Wrote:  Or you have to update blind to this Version. Sad

That's what I'd like to avoid ;-) Anyhow, if we go through the update process we'll summarize how it went.

Cheers & thx again
Chris


RE: "Official" VHCS 2.4.8 security update? - RatS - 04-14-2009 07:18 PM

Why you cannot update to ispCP 1.0.0? This will be your only chance. There will be no more update possibility after 1.0.0 from VHCS. Better try to update now...


RE: "Official" VHCS 2.4.8 security update? - karlmikaze - 04-14-2009 08:57 PM

Hi RatS,

yes, I'm aware of that. But there are still some customers around that need PHP4, MySQL4 and some more oddities. Plus, many VHCS hosters did quite a lot of customization (dynamic AWStats hacks, amavisd-new, external MX, you name it...) that can be done using ispCP, as well, but at the price of a lot of effort.

We will update (and have already for some hosts), but not for all environments, and definitely not yet now.

BTW, for all of you VHCS users out there:
We have developed a VHCS migration script that takes a VHCS domain name, a target servername plus some parameters (migrate DBs, maildirs, statistics, etc.) and transfers it to another (updated VHCS or fresh ispCP) machine. This enables you to migrate "domain by domain" (for testing purposes or all those problematic sites that eventually need PHP4 or whatever) to a newer environment, instead of "upgrade the whole machine in one step". If interested in further testing/development, please drop me a short note by PM.

Greetings
Chris


RE: "Official" VHCS 2.4.8 security update? - xister - 04-14-2009 10:56 PM

(04-14-2009 08:57 PM)karlmikaze Wrote:  BTW, for all of you VHCS users out there:
We have developed a VHCS migration script that takes a VHCS domain name, a target servername plus some parameters (migrate DBs, maildirs, statistics, etc.) and transfers it to another (updated VHCS or fresh ispCP) machine. This enables you to migrate "domain by domain" (for testing purposes or all those problematic sites that eventually need PHP4 or whatever) to a newer environment, instead of "upgrade the whole machine in one step". If interested in further testing/development, please drop me a short note by PM.

Please, post your script and a few lines of discription in this forum.
Maybe this could be integrated/modified into/for ispCP.


RE: "Official" VHCS 2.4.8 security update? - BeNe - 04-14-2009 10:58 PM

Quote:We have developed a VHCS migration script that takes a VHCS domain name, a target servername plus some parameters (migrate DBs, maildirs, statistics, etc.) and transfers it to another (updated VHCS or fresh ispCP) machine. This enables you to migrate "domain by domain" (for testing purposes or all those problematic sites that eventually need PHP4 or whatever) to a newer environment, instead of "upgrade the whole machine in one step". If interested in further testing/development, please drop me a short note by PM.
//EDIT: xister was faster ;-)

Interesting! Maybe we can use it also for ispCP after some changes ?

Greez BeNe


RE: "Official" VHCS 2.4.8 security update? - karlmikaze - 04-14-2009 11:12 PM

Quote:Please, post your script and a few lines of discription in this forum.
Maybe this could be integrated/modified into/for ispCP.

Ok. As soon as our developer who's working on the script is back, we'll do some slight cleanup in the script (take out all our specific stuff, the hardcoded passwords, replace them by variables/maybe read from a config file, etc.), put it up in our external svn repos and post the URL here. Or even better in a new thread Wink

Quote:Interesting! Maybe we can use it also for ispCP after some changes ?

It will need some tweaking to be 100% compatible with ispCP's directory layout etc. without any manual post-processing - but that's what it's capable of doing for VHCS, already. At least on debian etch, at the moment.

I'll keep you updated.

Cheers
Chris
Here's a final info in order to get this thread closed:
I got feedback from Moll New Media (thank you!). The current 2.4.8 update is a collection of former fixes and updates in a new "one package that contains all known bugfixes up to date".

In short:
2.4.8 does not include a fix for a new security issue, but several functional bugfixes and the fix for the old "admin intrusion" problem that was already fixed in version 2.4.7.1. So, 2.4.7.1 is as secure as 2.4.8, but lacks some other bugfixes.

hth
Chris