What’s new in ISPConfig 3.0.5.4p9 This release contains an important security fix for an insufficient validation of the PHP version selector. Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched. Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue! The fix can be applied by updating to ISPConfig 3.0.5.4p9 or by using the ISPConfig patch tool. Use the Patch tool Run the command: Code: ispconfig_patch as root user on the shell. Enter the following patch code when requested by the tool: 3054_phpversion Use the normal ISPConfig update procedure with the ispconfig_update.sh command. See details at the end of this post. The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig 3.0.5.4p8. See changelog link below for a list of all changes that are included in this release. Download The software can be downloaded here: http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.4p9.tar.gz Changelog https://git.ispconfig.org/ispconfig/ispconfig3/milestones/50 Known Issues Please take a look at the bug tracker: https://git.ispconfig.org/ispconfig/ispconfig3/issues BUG Reporting Please report bugs to the ISPConfig bug tracking system: https://git.ispconfig.org/ispconfig/ispconfig3/issues Supported Linux Distributions – Debian Etch (4.0) – Jessie (8.0) and Debian testing – Ubuntu 7.10 – 15.10 – OpenSuSE 11 – 13.2 – CentOS 5.2 – 8 – Fedora 9 – 15 Installation The installation instructions for ISPConfig can be found here: http://www.ispconfig.org/ispconfig-3/documentation/ or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file. Update To update existing ISPConfig 3 installations, run this command on the shell: Code: ispconfig_update.sh Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script. Detailed instructions for making a backup before update can be found here: http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/ If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below. Manual update instructions Code: cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xvfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install php -q update.php
Hello, Code: >> Patch tool Please enter the patch id that you want to be applied to your ISPConfig installation. Please be aware that we take NO responsibility that this will work for you. Only use patches if you know what you are doing. Enter patch id: 3054_phpversion Invalid patch id. Thanks
I ran ispconfig_patch >> Patch tool Please enter the patch id that you want to be applied to your ISPConfig installation. Please be aware that we take NO responsibility that this will work for you. Only use patches if you know what you are doing. Enter patch id: 3054_phpversion Patch description: -------------------------------------------------------------------------------- This patch fixes an insufficient validation of the PHP version selector. -------------------------------------------------------------------------------- Do you really want to apply this patch now? (y,n) [y]: y patching file interface/web/sites/web_aliasdomain_edit.php patching file interface/web/sites/web_domain_edit.php patching file interface/web/sites/web_subdomain_edit.php patching file interface/web/sites/web_vhost_subdomain_edit.php root@:~# /etc/init.d/apache2 restart [ ok ] Restarting web server: apache2 ... waiting . ISPConfig Version: 3.0.5.4p8 stilll shows p8 instead of p9, do I need to restart anything else besides apache?
No. The patch only fix the issue but it doesn't increase the Version number. You must edit the file /usr/local/ispconfig/interface/lib/config.inc.php manually to increase the version.
What's the point of calling the patch p9 which doesn't automatically update ISPConfig version number.
It appears the patch is called '3054_phpversion', the ispconfig release is p9. You didn't install the p9 release, you applied a single patch; in this case you started from p8 and that was the only change, so it should be the same as the p9 version. If someone else were running an older ispconfig release, they could presumably apply this same patch to fix this specific bug, but not get all the other interim changes, so they would not have the same code as p9.
I see the confusion that it causes when we provide a patch as aletrnate method to fix an issue. I guess we should stop providing patches at all so that everyone has to replace all files in his ispconfig setup with a full update even if there is just a single affected file.
I think the problem is not the patch. There is a confusion when someone patch the version but the control panel show a warning for an old version. When you increase the version number then don't release a patch. In other cases a patch is useful.
This would mean that we would have to modify silently the code in the released ispconfig.tar.gz without altering the version number as we can not deliver a vulnerable version and altering released code without a sign that it was altered is a bad practice. And the other way round, we can not alter the version number as part of the patch as this would mean that if someone applies it to e.g. p5 and then it will show p9 but indeed he has not p9 as all intermediate changes are missing. So if someone wants a patch in future, he will have to diff the versions himself and build his own patch.
I think there are two cases. 1. There is a problem e.g. create ftp user will failed. You fix this problem in the master branch and you release a patch. You don't increase the version number. If someone has this issue he can apply the patch and everything is fine. 2. There is another issue. You will fix this problem in the master branch and you will increase the version number. This this case you must relase a full version. When you release also a patch then the confusion will start again. On the other side there is another case. If someone uses version e.g. p5. If he apply the full version he will migrate to the newest version. But if he don't want the newest version for whatever reasons he have to apply the patch. But how they now they can apply the patch on there old version? So when you release a new version e.g. p10 then all users from p9 have to use the full upgrade. If someone use an older version then he have to apply the patch. And he will see a version warning on the control panel. Summary: issue with no new version number -> patch issue with new version number -> full upgrade issue with new version number but the user use an older version of ISPConfig -> patch (if possible)
As till said: What we learn from this is, why should we make any affort in creating further patches? From now on it's up to the user to create a patch if he doesn't want to update to the next full patch-release. That's it.
