Blog

Login Register

alt-php update for beta & production repositories


The changes include version updates for PHP 5.4 & 5.5. There is no other changes since this release:
http://www.cloudlinux.com/blog/clnews/533.php

Changelog:
To update production:
$ yum groupupdate alt-php
To update beta:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

Beta: IOPS, high precission CPU limits and more...


New update for CageFS, liblve, lve-utils and LVE Manager is available from our beta repository. Major changes are introduction of IO operations per second limits, high precission CPU limits (you can now setup speed precission as low as 1% of a single core, no matter how many cores) - and ability to specify the processes that needs to be in LVE / CageFS by name.

Changelog:
CageFS 5.3-1
  • CAG-315: cagefsctl --rebuild-alt-php-ini reset some parameters to defaults (bugfix)
liblve-1.3-1.3
  • LIBLVE-7: enter to cagefs by process name
  • CAG-76: added new "splitted by username" mount type in cagefs.mp
  • support of hires cpu limit
lve-utils 1.4-27
  • LU-107: add --no-iops option to lvectl, getcontrolpaneluserslimits (for backward compatibility)
  • LU-100: lvetop should display CPU usage in terms of 'speed' setting
  • LU-97: lvectl set $LVE --iops $IOPS doesn't set IOPS parameter
  • LVEMAN-109: add handling of iops and speed (for proc version to cpanel/extension/cl_modify_pkg.py
  • add ability to change lve_ext template on cpanel
  • Added lve_namespaces service to record LVE namespaces on boot
  • LU-92: fix PID column in lveps -p output
  • show command names in the COM column
  • LU-91: add lve_namespaces service
  • LU-90: getcontrolpackages fail in DirectAdmin with broken cache file
  • ALTPHP-31:MariaDB 10 support in php-selector
python-cllib 1-21
  • LU-89: add base hook lib
  • PTCLLIB-16: add validate_cpu function
  • PTCLLIB-15 fix: Add /usr/sbin/lveps to /etc/sudoers
lvemanager 0.8-1.44
  • LVEMAN-223 - Add conflicts for PHP APCu module
  • LVEMAN-222: bugfixes for LVE Manager->packages in cPanel
  • LVEMAN-161: LVE Manager for cPanel: filter reseller packages correctly
  • LVEMAN-166: remove NCPU from LVE Manager for cPanel
  • LVEMAN-217: DirectAdmin LVE Manager for /proc/lve/list 8 : incorrect column values in settings, packages
  • LVEMAN-214: use --no-iops option in lvectl commands in LVE Manager for compatibility with new lve-utils
  • LVEMAN-212 fix: Defaults values in Edit package page are incorrect for Plesk -> LVE Manager
  • LVEMAN-211 fix: Accounts page fails in Plesk
lve-stats 0.10-37
  • LVESTATS-52: Graphs for small speed values are not created
  • LVESTATS-51: lvestats-server does not work on /proc/lve/list ver 4
  • LVESTATS-50: lvestats-server: calculate cpu limit correctly for /proc/lve/list ver 8
  • LVESTATS-37: mark parameters that were exceeded by users in nootification e-mails for admin and resellers
  • LVESTATS-36: Wrong lveinfo data from MySQL on centralized server
  • LVESTATS-17: Record and manage IOPS
Update instructions:

$ yum update cagefs lvemanager lve-utils lve-stats --enablerepo=cloudlinux-updates-testing

Please, note that this update will install new kernel. Reboot is needed to enable all the new features, like high precission CPU speed limits, and IOPS.

Beta: New CL6 & C5Hybrid kernel to fix inotify memory leak - corrected updated


Last beta upgrade to 2.6.32-531.23.3.lve1.2.66 introduced a bug in LVE kmod.
New version of kmod is available.

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-72.el6 --enablerepo=cloudlinux-updates-testing
To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-72.el5h --enablerepo=cloudlinux-hybrid-testing


Don't forget to reboot your servers after update.

Beta: New CL6 & C5Hybrid kernel to fix inotify memory leak


A bug was introduced in 2.6.32-531.23.3.lve1.2.65 that causes memory leak when inotify is used.
New kernel 2.6.32-531.23.3.lve1.2.66 available that solves the issue.
KernelCare patches are also available to close memory leak without rebooting your server https://groups.google.com/forum/#!topic/kernelcare-vz/_rQtGjSJays

More info on memory leak: https://bugzilla.openvz.org/show_bug.cgi?id=3068

To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el6 lve-kmod-1.2-71.el6 --enablerepo=cloudlinux-updates-testing

To update CL5 hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.66.el5h lve-kmod-1.2-71.el5h --enablerepo=cloudlinux-hybrid-testing

KernelCare updates for CL6/5Hybrid, PCS/Virtuozzo/OpenVZ from RHEL 2.6.32-431.29.2 kernel

New patches for CL6/5Hybrid, PCS/Virtuozzo/OpenVZ kernels had been released to update them with latest security fixes from RHEL 2.6.32-431.29.2 kernel. The updates include a patch against local DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-0205, CVE-2014-3535, CVE-2014-3917, CVE-2014-4667

Details:
  • CVE-2014-0205 futex: refcount issue in case of requeue
    A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
  • CVE-2014-3535 vxlan: fix NULL pointer dereference
    A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
  • CVE-2014-3917 auditsc: audit_krule mask accesses need bounds checking
    An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made

KernelCare updates CentOS and RHEL 6 kernel to 2.6.32-431.29.2

New patches for CentOS and RHEL 6 kernels had been released to update up to 2.6.32-431.29.2. The updates include a patch against local DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update


CVEs: CVE-2014-0205, CVE-2014-3535, CVE-2014-3917, CVE-2014-4667

Details:
  • CVE-2014-0205 futex: refcount issue in case of requeue
    A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
  • CVE-2014-3535 vxlan: fix NULL pointer dereference
    A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface.
  • CVE-2014-3917 auditsc: audit_krule mask accesses need bounds checking
    An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.

alt-php 5.6


Latest version of alt-php 5.6 is available in our production channel. We have also released support for LSAPI 6.7 from our beta repository

Changelog for 'produciton' version:
To update:
$ yum groupupdate alt-php

Changelog for 'beta' version

  • alt-php56 - 5.6.0 (Changelog)
  • LSAPI updated to 6.7 for php5.2 to 5.6
To update:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

We need examples of lve-stats database

We are running some performance testing for next generation lve-stats, and we need real life lve-stats database, with a lot of data in it. We are interested in a database from the live, active CL6 server with 1000+ customers.

To send us the file (it will be big):
# service lvestats stop
# cp /var/lve/lveinfo.db /some_location_from_which_we_can_retrieve_it
# service lvestats start

And send me email on how we can pick up the file to [email protected]

CL6/Hybrid kernel 2.6.32-531.23.3.lve1.2.65

New kernel for CL6/Hybrid is available.

Changelog:
To update CL6 servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el6 kmod-lve-1.2-69.el6

To update hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el5h kmod-lve-1.2-69.el5h

No update is needed for KernelCare customers.

Xen support for CentOS 5/RHEL 5 kernels

We have added Xen support for RHEL5/CentOS 5 kernels. Kernels from
kernel-xen-2.6.18-348.16.1 to kernel-xen-2.6.18-371.11.1 are supported.

Please, follow this guide to install KernelCare on RHEL5/CentOS 5 servers:
http://www.kernelcare.com/try_it/install.php

beta: LVE Manager update for Plesk

New beta release fixes two issues with Plesk discovered in the latest version.

lvemanager-0.8-1.32.5
  • LVEMAN-212 fix: Defaults values in Edit package page are incorrect for Plesk -> Lvemanager
  • LVEMAN-211 fix: Accounts page fails in Plesk
To update:
$ yum update lvemanager --enablerepo=cloudlinux-updates-testing

Production & beta: alt-php release


New versions of alt-php were released. Production channels have PHP versions updated for PHP 5.4 & 5.5
Beta repository in addition to version upgrades, has new mysqlnd support, updated percona server support & readline support enabled

Changelog:To update production version:
$ yum groupinstall alt-php

To update from beta:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

Beta: CL6/Hybrid kernel 2.6.32-531.23.3.lve1.2.65

New beta kernel for CL6/Hybrid is available.

Changelog:
To update CL6 sservers:

$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el6 kmod-lve-1.2-69.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid servers:
$ yum install kernel-2.6.32-531.23.3.lve1.2.65.el5h kmod-lve-1.2-69.el5h --enablerepo=cloudlinux-updates-testing

lve-utils, cagefs and LVE Manager updated

The new release contains a number of bug fixes and minor improvements.



Changelog:
lve-utils-1.4-18.10
  • LVEMAN-200 part2: refactor code, add handling of OSError exception
  • LU-102: improve DirectAdmin detection
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LU-105: getcontrolpaneluserspackages: do not fail when user has no package assigned on Plesk
  • LVEMAN-202: LVE Manager not showing limits on Plesk when subscription is without plan
  • LU-104: crons/kill_orphaned_php-cron: do not kill /home/interworx/bin/php processes
  • LU-103: backport of LU-99 task (encoding error in lvectl on DirectAdmin, Plesk)
  • LU-98: crons/kill_orphaned_php-cron: do not kill lsphp processes
cagefs-5.2-36.3
  • increased required version of lve-utils
  • CAG-312: /usr/sbin/cpanel-compile-suexec.sh fails to rebuild suexec
  • added --force-update-etc option to help message
  • CAG-296: do not write /etc/rsyslog.d/schroot.conf file on RPM update
  • CAG-302: cagefsctl --setup-cl-selector: specify path to native php.ini (using -c option) while executing php -qm
  • CAG-308: handle ClPwd.NoSuchUserException exception
  • CAG-310: do not change permissions of /etc/cagefs/custom.etc subdirectories and files
lvemanager-0.8-1.32.3
  • LVEMAN-205 fix: backport of LVEMAN-204 task (LVE Manager in Plesk fails if package names longer then 30 symbols)
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LVEMAN-198 - Add conflicts for PHP MySQLND modules
  • LVEMAN-197 fix: LVE Manager fails on Plesk old versions
To Update:
$ yum update cagefs lvemanager lve-utils

Beta: MySQL Governor 1.0-75

New version of MySQL Governor adds MariaDB 10.0 support, and adds a number of bug fixes and improvements.

Changelog:
  • Added support for MariaDB 10.0
  • DirectAdmin: read socket options from mysql.conf
  • DirectAdmin: fix issue with user without UID in dbuser-map
  • Added request logging before restrict
  • Detect and remove percona packages on install
To update

$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

To install, follow: http://docs.cloudlinux.com/index.html?installation3.html

To switch to MariaDB 10.0
$ /usr/share/lve/dbgovernor/db-select-mysql --mysql-version=mariadb100
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install-beta

To enable request logging before restrict, change file:
/etc/container/mysql-governor.xml
set <logqueries use="before"></logqueries>
and restart governor

Beta: alt-php update

New update for alt-php is available from our beta repository

Changelog:
To update:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

KernelCare - update for PCS, Virtuozzo, OpenVZ, CentOS/RHEL/CloudLinux 6

New patches provide a fix for PSBM-27792 for all VZ kernels, as well as well as PSBM-28403 for 2.6.32-042stab092.1 to 2.6.32-042stab092.3 kernels. It brings all the kernels in line with the latest vzkernel-2.6.32-042stab083.4 kernel
CentOS/RHEL/CL 6 systems are patched against CVE-2014-2706.
Additionally, we are starting to display effective kernel number with a '+' at the end, to designate that the kernel was patched beyond latest stable kernel.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-2706

Details:
  • CVE-2014-2706 mac80211: fix AP powersave TX vs. wakeup race
    A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.
  • PSBM-27792, #2644 - ve/net/netfilter/ipset: prohibit ipset from the inside CT
    fixes netfilter Denial of service vulnerability in isset netfilter module
  • PSBM-28403, #3035 sched: fix output of vestat:idle
    /proc/vz/vestat IDLE cpu usage information was not virtualized, providing information for the whole hardware node, instead of individual container

Revised: lve-stats, lve-utils, cagefs and LVE Manager updated

[corrected Aug 18/ 2014]

This is correction for the announcement from August 14th. Only lve-stats package had been released to production. The rest of the packages were released to beta repository.

To update lve-stats, please run:
$ yum update lve-stats

To update all other packages, run:
$ yum update cagefs lvemanager lve-utils --enablerepo=cloudlinux-updates-testing

Changelog:
lve-stats-0.10-31.7
  • LVESTATS-41: statsnotify-cron is set incorrectly
  • LVESTATS-47: Added json dumping; added lve destroyer; don't print anything when destroying LVE
lve-utils-1.4-18.10
  • LVEMAN-200 part2: refactor code, add handling of OSError exception
  • LU-102: improve DirectAdmin detection
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LU-105: getcontrolpaneluserspackages: do not fail when user has no package assigned on Plesk
  • LVEMAN-202: LVE Manager not showing limits on Plesk when subscription is without plan
  • LU-104: crons/kill_orphaned_php-cron: do not kill /home/interworx/bin/php processes
  • LU-103: backport of LU-99 task (encoding error in lvectl on DirectAdmin, Plesk)
  • LU-98: crons/kill_orphaned_php-cron: do not kill lsphp processes
cagefs-5.2-36.3
  • increased required version of lve-utils
  • CAG-312: /usr/sbin/cpanel-compile-suexec.sh fails to rebuild suexec
  • added --force-update-etc option to help message
  • CAG-296: do not write /etc/rsyslog.d/schroot.conf file on RPM update
  • CAG-302: cagefsctl --setup-cl-selector: specify path to native php.ini (using -c option) while executing php -qm
  • CAG-308: handle ClPwd.NoSuchUserException exception
  • CAG-310: do not change permissions of /etc/cagefs/custom.etc subdirectories and files
lvemanager-0.8-1.32.3
  • LVEMAN-205 fix: backport of LVEMAN-204 task (LVE Manager in Plesk fails if package names longer then 30 symbols)
  • LVEMAN-200 - LVEManager licensing screen should detect when license was updated
  • LVEMAN-198 - Add conflicts for PHP MySQLND modules
  • LVEMAN-197 fix: LVE Manager fails on Plesk old versions

Beta: New CL6 and Hybrid Kernel

New beta kernel kernel-2.6.32-531.17.1.lve1.2.63 is available.

Changelog:
  • rebase to vzkernel-2.6.32-042stab092.3;
  • jbd2: drop checkpoint mutex when waiting in __jbd2_log_wait_for_space();
To update:
CL6
$ yum install kernel-2.6.32-531.20.3.lve1.2.64.el6 kmod-lve-1.2-68.el6 --enablerepo=cloudlinux-updates-testing


Hybrid:
yum install kernel-2.6.32-531.20.3.lve1.2.64.el5h kmod-lve-1.2-68.el5h --enablerepo=cloudlinux-hybrid-testing

KernelCare update for CentOS/RHEL 7, CentOS/RHEL 5, and CloudLinux hybrid kernel

CentOS/RHEL 7 kernels are patched to latest 3.10.0-123.6.3 kernel.
CentOS/RHEL 5 kernel patches were updated to correctly handle systems with aacraid devices
CloudLinux 5 hybrid kernel patches were updated to correctly handle stuck khungtask threads

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-0181, CVE-2014-2672, CVE-2014-2706, CVE-2014-4667

Details:
  • CVE-2014-0181 net: Use netlink_ns_capable to verify the permisions of netlink messages
    It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. A local, unprivileged user could potentially bypass these restrictions by passing a netlink socket as stdout or stderr to a more privileged process and altering the output of this process.
  • CVE-2014-2672 ath9k: protect tid->sched check
    It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter.
  • CVE-2014-2706 mac80211: fix AP powersave TX vs. wakeup race
    A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system.
  • CVE-2014-4667 sctp: Fix sk_ack_backlog wrap-around problem
    The sctp_association_free function in net/sctp/associola.c in does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet.

beta: mod_lsapi 0.1-58


New beta version of mod_lsapi available.

Changelog:
  • Bugfix: fix httpd crash due to NULL server-var bug
  • Added lsapi_use_default_uid, lsapi_target_perm, lsapi_user_group & lsapi_uid_gid parameters
  • Increased default values for lsapi_backend_connect_timeout and lsapi_backend_connect_tries
  • bugfix: do not rewrite lsapi.conf on easyapache --build
To update
cPanel:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ yum update cpanel-mod-lsapi --enablerepo=cloudlinux-updates-testing

DirectAdmin:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build apache

RPM based:
$
yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$yum update mod_lsapi --enablerepo=cloudlinux-updates-testing

More info:
http://docs.cloudlinux.com/index.html?installation_mod_lsapi.html

KernelCare Updates For RHEL/CentOS 5 and RHEL/CentOS/CL 6 and OpenVZ

RHEL/CentOS 5: New patches deliver security fixes from latest RHEL kernel 2.6.18-371.11.1.el5

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update
  • CVE-2014-2678 kernel: net: rds: dereference of a NULL device in rds_iw_laddr_check()
    A NULL pointer dereference flaw was found in the rds_iw_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.
  • CVE-2014-4021 xen: Hypervisor heap contents leaked to guests (xsa-100)
    It was found that the Xen hypervisor implementation did not properly clean memory pages previously allocated by the hypervisor. A privileged guest user could potentially use this flaw to read data relating to other guests or the hypervisor itself.
RHEL/CentOS/CL/OpenVZ 6: New patches deliver security fixes from latest RHEL kernel 2.6.32-431.23.3.el6
  • CVE-2014-2851 kernel: net: ping: refcount issue in ping_init_sock() function
    Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.
  • CVE-2012-6647 Kernel: futex: forbid uaddr == uaddr2 in futex_wait_requeue_pi()
    A NULL pointer dereference flaw was found in the way the futex_wait_requeue_pi() function of the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to crash the system.
  • CVE-2013-7339 kernel: net: rds: dereference of a NULL device in rds_ib_laddr_check()
    The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.
  • CVE-2014-2678 kernel: net: rds: dereference of a NULL device in rds_iw_laddr_check()
    A NULL pointer dereference flaw was found in the rds_iw_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.
  • CVE-2014-2672 kernel: ath9k: tid->sched race in ath_tx_aggr_sleep()
    Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions.

Beta: alt-php update


Updates for alt-php are availabe from our beta-testing repository

Changelog:
  • alt-php54 updated to 5.4.31 (Changelog)
  • alt-php55 updated to 5.5.15 (Changelog)
  • alt-php56 updated to 5.6.0RC2 (Changelog)
  • fixed PHP-Phalcon packages.
  • add mysqlnd support (nd_mysql, nd_mysqli, nd_pdo_mysqli, mysqlnd extensions)
  • added PHP-Phalcon for alt-php56
to update:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

KernelCare update for all versions of RHEL/CentOS/CloudLinux and OpenVZ

New patches provide a fix for CVE-2014-5077 for all supported distributions, as well as PSBM-25317 fix for vzkernel-26.32-042stab085.20 and older

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-5077

Details:
  • CVE-2014-5077 net: SCTP: NULL pointer dereference
    Linux kernel built with the support for Stream Control Transmission Protocol (CONFIG_IP_SCTP) is vulnerable to a NULL pointer dereference flaw. It could occur when simultaneous new connections are initiated between a same pair of hosts.
    A remote user/program could use this flaw to crash the system kernel resulting in DoS.
  • PSBM-25317
    If pmtx_open() fails to get a slave inode or fails the pty_open(),
    the tty is released as part of the error cleanup. This flaw can crash the system kernel resulting in DoS.

KernelCare update for OpenVZ, PCS and CentOS/RHEL 6 kernels - PSBM-28104

OpenVZ, Virtuozzo, PCS kernels vzkernel-2.6.32-042stab092.1 and vzkernel-2.6.32-042stab092.2 as well as RHEL/CentOS 6.x kernels kernel-2.6.32-431.20.3.el6 are patched against recent bug when a container could fail to restart, remaining in the 'mounted' state (#PSBM-28104). The issue could also be triggered by an unprivileged user in any container, resulting in a memory leak and a potential DoS attack.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update


CVEs: Not assigned yet


Details:
  • PSBM-28104 a bug when a container could fail to restart, remaining in the 'mounted' state

Pages: Prev. | 1 | ... | 4 | 5 | 6 | 7 | 8 | ... | 27 | Next