ISPConfig 3.0.5.4p9 released

What’s new in ISPConfig 3.0.5.4p9

This release contains an important security fix for an insufficient validation of the PHP version selector.

Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched.

Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!

The fix can be applied by updating to ISPConfig 3.0.5.4p9 or by using the ISPConfig patch tool.

Use the Patch tool

Run the command:

ispconfig_patch

as root user on the shell. Enter the following patch code when requested by the tool:

3054_phpversion

Use the normal ISPConfig update procedure with the ispconfig_update.sh command.

See details at the end of this post.

The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig 3.0.5.4p8.

See changelog link below for a list of all changes that are included in this release.

Download

The software can be downloaded here:

http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.4p9.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/milestones/50

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Jessie (8.0) and Debian testing
– Ubuntu 7.10 – 15.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 8
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.

Update

To update existing ISPConfig 3 installations, run this command on the shell:

ispconfig_update.sh

Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.

Detailed instructions for making a backup before update can be found here:

http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/

If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.

Manual update instructions

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php