Jump to content
Froxlor Forum
d00p

Important bugfix release 0.9.33.2

Recommended Posts

Dear Froxlor-community,
 
due to a severe security issue in the database logging system, we strongly recommend to update your current froxlor installation to 0.9.33.2. We also recommend to remove any content from the /froxlor/logs/ directory.

Download: 0.9.33.2

Note: Gentoo-ebuild and Debian packages are now available..

Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net.

Thank you,
d00p

Share this post


Link to post
Share on other sites

Hi

actually this fix is missing the removal of the compromised logfiles, otherwise it fixes future logging of passwords, but not the access to the logfile that has been compromised.

 

I ask you to add a proper .htaccess-block for the logs-directory _and_ remove the logfiles from there as they - if kept - are still a security-risk in the current release.

 

thx

hk

Share this post


Link to post
Share on other sites

Error for Debian - wheezy:

 

Err http://download.opensuse.org Packages
Err http://debian.froxlor.org wheezy/main amd64 Packages
  404  Not Found [iP: 109.234.106.48 80]

 

 

sources.list

 

 

deb http://debian.froxlor.org wheezy main
deb-src http://debian.froxlor.org wheezy main
#Backup if main mirror fails
deb http://froxlormirror.netcup.net/froxlor wheezy main
 

Share this post


Link to post
Share on other sites

Hi

actually this fix is missing the removal of the compromised logfiles, otherwise it fixes future logging of passwords, but not the access to the logfile that has been compromised.

 Sorry, as i was pushed to do a release it just got lost in the hurry...removing all .log files from the directory should do the job, alternatively just use the class.ConfigIO.php from Github (https://github.com/Froxlor/Froxlor/blob/0_9_34/lib/classes/webserver/class.ConfigIO.php)

Share this post


Link to post
Share on other sites

Error for Debian squeezy after Apache restart.

 

Apache2 restart:

 

Syntax error on line 9 of
/etc/apache2/sites-enabled/10_froxlor_ipandport_xx.xx.xx.xx.80.conf:
Invalid command \'FastCgiExternalServer\', perhaps misspelled or defined by a module not included in the server configuration
Action \'configtest\' failed.
The Apache error log may have more information.
failed!

 

In the named .conf file on line 9:

 

FastCgiExternalServer
/var/www/php-fpm/froxlor.panel/vxxxxxxxxxxxxxxxxxxxxx.yourvserver.net/8296.fpm.external
-socket
/var/lib/apache2/fastcgi/froxlor.panel-vxxxxxxxxxxxxxxxxxxxxx.yourvserver.net-php-fpm.socket
-idle-timeout 30

 

What is going wrong here?

 

Thanks

bosmedien

Share this post


Link to post
Share on other sites

Error for Debian squeezy after Apache restart.

 

Apache2 restart:

 

In the named .conf file on line 9:

 

What is going wrong here?

 

Thanks

bosmedien

 

You sir have a completely other problem. Please open a new topic.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By d00p
      Dear Froxlor Community,
      I am proud to finally release the stable version of a new API based froxlor. Due to massive internal improvements and changes in the core (almost 600 commits since 0.9.40.1) users are now able to list/create/edit/delete resources and entities of froxlor via API (requires activation of api-usage in the settings and a user based API-key). The froxlor frontend itself uses the API backend too.
      Froxlor now uses composer to include some of its requirements like phpMailer, Logger, IdnaConvert and TwoFactorAuth libraries. All required files will be included in the official tarball so you do not need to worry about installing and using composer (only if you are using / testing the git-master, see https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-from-git-sources).
      Most important changes:
      froxlor now requires at least php-7.0 or newer, php-5.6 is no longer supported because of its EOL almost a year ago you can access data via API, for more information see https://api.froxlor.org/doc/. An example can be found here: https://github.com/Froxlor/Froxlor/tree/master/doc/example PHPUnit tested API backend with MySQL 5.6, 5.7 and 8 as well as MariaDB 10.3 and 10.4, see https://travis-ci.com/Froxlor/Froxlor compatibility for MySQL8 2FA (two-factor-authentication) for admins/resellers/customers (email or authenticator app) all froxlor-database tables will automatically be converted to the InnoDB engine added support for Debian 10 (buster) and Ubuntu 18.04 (bionic beaver) implemented Let's Encrypt via acme.sh - Note: all your current Let's Encrypt certificates will be removed and re-created due to another structure customizable error/access log handling for webserver (format, level, pipe-to-script, etc.) deprecated Debian 7 (wheezy) and Ubuntu 14.04 (trusty tahr) support dropped support for Ubuntu 12.04 (precise pangolin) dropped ticketsystem Changes in 0.10.1:
      allow/disallow API access on a per-customer base add explicit tlsv1.3 ciphersuite setting fixed wrong behaviour in Ftps.add() if customer is newly created and setting customer.ftpatdomain is true added expiration date to SSL certificates loaded via API request fixed wrong return in Certificates.get() if given domain does not have a certificate allow setting http2 flag for (sub)domains in customer view, fixes #725 Changes in 0.10.2:
      force Let's Encrypt ACMEv2 API, fixed #728 added default-ssl-vhost settings and optionally allow including of non-ssl default-vhost settings, fixes #727 implemented DomainZones.listing() to return custom stored dns entries removed API Parameter use_default_ssl_ipandport_if_empty from Domains.add() added API Parameter dont_use_default_ssl_ipandport_if_empty to Domains.add() fix registration and termination date to flip between empty-value and 0000-00-00 Download: 0.10.2

      Note: Debian packages will be created and released as soon as possible, please be patient
      Attention: The auto-update feature is currently unavailable due to the archive taking a bit longer to extract and froxlor trying to redirect too soon thus leading to an internal server error. A quick reload does "fix" the problem but it's not very clean and therefore I removed the 0.10.0 release from the autoupdate server to avoid that. Please use the manual update options, see https://github.com/Froxlor/Froxlor/wiki

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net for support, help, participation or just a chat

      Thank you,
      d00p
    • By d00p
      Dear Froxlor Community,
      after many bugfixes and improvements here is the latest stable version of froxlor. This release will be the last release of the 0.9-series in favor of our API based 0.10.0 version which will be the new MASTER branch in our git-repository as of this release.
      Ubuntu (16.04) Xenial Support
      There are now configuration templates for Ubuntu 16.04 Xenial. Ubuntu 12.04 Precise configurations have been marked as deprecated.
      Customizable webserver logging
      For apache2 users, it is now possible to specify a script to which the logs are being piped to. Don't forget that you must explicitly enable the piping. You can also or alternatively specify a log-format and log-type for the access-log.
      FPM process manager settings per configuration
      Process manager and corresponding settings can now be overwritten on a per-php configuration base, when overwriting is explictly checked in the php-config. This makes it possible to have different process manager (static, dynamic, ondemand) settings for the same php-fpm version.
      You can see all changes on Github at https://github.com/Froxlor/Froxlor/compare/0.9.39.5...0.9.40.1
      *UPDATE*
      0.9.40.1:
      due to a typo in a function name, the backup-page was not usable  
      Download: 0.9.40.1

      Note: Gentoo-ebuild and Debian packages will be released shortly as always.

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net.

      Thank you,
      d00p
    • By d00p
      Dear Froxlor Community,
       
      many great new features have found their way into our latest release. Here are the biggest innovations:
      Debian 9.x (Stretch) Support
      We finally added configuration templates for the current stable release of the Debian Linux Distribution. Important for all PHP-FPM users, you need to use mod_proxy/mod_proxy_fcgi as there is no libapache2-mod-fastcgi anymore.
      Multiple PHP-FPM installations
      Users with more than one PHP Version installed on their system were forced to use FCGID until now if they wanted to assign different versions of PHP to different customers or domains. This can now also be done for PHP-FPM. Some of the settings have moved from the global settings to a new section in the admin PHP menu called PHP-FPM version. Here you can add all the PHP-versions you have installed on your system with their corresponding config-path, restart-command, etc. In PHP-Configurations you can then choose the desired PHP-FPM version from a select-box.
      Settings Import / Export
      When installing Froxlor on multiple systems with equal settings, you can now export your settings from one intallation and import them to another. System-Hostname, default IP addresses and a few more variables that are either system specific or filled by the installation process anyway are being omitted. This feature will be "older version" compatible in later versions, meaning you will be able to import settings from 0.9.39 into newer versions of Froxlor. Please note that this new feature requires the PHP-json extension to be installed and loaded.
      Let customers choose PHP configuration
      When adding a new or editing an existing customer, the admin/reseller can now select from all available PHP configurations which of them are usable for the customer.  If none is selected, the one the admin used when adding the domain is used. When the customer adds a new or edits an existing (sub)domain he can choose between the assigned PHP configurations (especially helpful if you have PHP configurations for different PHP-versions).
      Other PHP-FPM related changes
      Three minor changes/additions for PHP-FPM users: 
      You can now specify paths which will be added to the PATH environment variable in each PHP-FPM pool. There was no such entry until now. If the setting is left empty, no env[PATH] entry will be generated You can now specify values for the security.limit_extensions setting on a per PHP-FPM version basis. You can now enable '-pass-header Authorization' for each PHP configuration so authorization headers are being passed from the webserver to PHP-FPM Testing implementation of Let's Encrypts ACME v2
      As announced earlier by Let's Encrypt (see https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605 ) the new api version will be live as of 27th of februrary and is already available for testing (staging api). You can select the ACME v2 standard in the settings if you want to test it using the staging api. Sadly, wildcard-certificates, which is one of the biggest innovations in ACME v2, will only work using the dns-reg challenge (validation via DNS record) so this won't be an option for 99% of you (also, we did not implement the dns-reg challenge, only http-reg). It would be awesome if this is going to be changed. Note: You will still be able to (and probably should) use the ACME v1 API, especially if you have any productive certificates obtained already.
      Minor installation changes
      When checking the webserver and apache is found, we now assume that apache-2.4 is used instead of 2.2
      MySQL STRICT-MODE issues
      Some newer distributions ar enabling the so-called STRICT-MODE for the DBMS by default, which Froxlor could not deal with on installation (e.g. some tables would not be created). These issues should be resolved now.
      *UPDATE*
      0.9.39.1:
      fix possible invalid php-fpm-socket filename for dummy-socket fix selected phpfpm daemon when editing php-configuration fix updating wrong column when deleting a fpm configuration get rid of the need for allow_url_fopen only let admin select php-configs that the customer is allowed to use to avoid unwanted php-config changes when customer edits domain 0.9.39.2:
      add script to automatically configure services from shell without the need of copy/paste from the interface 0.9.39.3:
      add new hosting-plans feature add domain flag to avoid generation of nginx try_files directive in webroot which is not suitable for some applications 0.9.39.4:
      fixed add/edit domain due to misuse of Settings-class 0.9.39.5:
      fixed display of imap/pop3 flag when editing hosting plans You can see all changes on Github at https://github.com/Froxlor/Froxlor/compare/0.9.38.8...0.9.39.5

      Download: 0.9.39.5

      Note: Gentoo-ebuild and Debian packages will be released shortly as always.

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net.

      Thank you,
      d00p
    • By d00p
      Dear Froxlor Community,
       
      as our latest stable release of froxlor is quite established now, it is time for some minor bugfixes and improvements.

      Changes in 0.9.38.8:
      + added OCSP stapling support for apache2 and nginx + added libnss-extrausers support for debian/ubuntu users + added http2 support for froxlor-vhost and per-domain and domain-import + added setting to disable LE self-check + #416: added letsencrypt, HSTS settings, oscp-stapling and phpenabled-flag to Domain-import + #464: added simple smtp-settings test-page ~ #412: fixed libnss config ~ #434: allow non fqdn CNAME entries (froxlor appends zone's domain automatically if there's no trailing dot) ~ #447: fixed wildcard entries in dns editor ~ #472: generate multiline txt-record if content is too long ~ #475: corrected setting for php-fpm peardir ~ #479: removed each() keyword as it is deprecated as of php-7.2 ~ #485: added default/global directory options in apache regardless of whether fcgid/fpm is being used or not ~ #496: explicitly deactivate TLS (and auto-tls) in phpMailer when setting use-tls is OFF ~ #1697: allow underscore in DNS labels ~ #1720: do not show full path of file on php-error ~ #1726: use correct pagination in admin-log/customer-log ~ #1728: clearify field label for domain termination date ~ fixed phpenabled flag for new subdomains added by customers ~ fixed auto-update of database in cronjob if activated ~ fixed ssl integration in lighttpd You can see all changes on Github at https://github.com/Froxlor/Froxlor/compare/0.9.38.7...0.9.38.8

      Download: 0.9.38.8

      Note: Gentoo-ebuild and Debian packages will be released shortly as always.

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net.

      Thank you,
      d00p




×
×
  • Create New...