Comunicat SolusLabs:
It has been brought to our attention that a security vulnerability has been found in the Client, Reseller and Admin areas of SolusVM. Even though the chances of this vulnerability being used against a SolusVM installation is low, we have released version 1.7.02 as a Critical security release and advise you to upgrade immediately.
Am primit o notificare de la Parallels referitor la o vulnerabilitate ProFTPD, fiind afectate produsele Plesk 9 si Plesk 10. Noi am actualizat ProFTPD pe serverele cu plesk prin Atomic Rocket Turtle
Comunicatul integral:
ProFTPD Remote Code Execution Vulnerability and Exploit
A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.
ProFTPD bug report: http://bugs.proftpd.org/show_bug.cgi?id=3521
Parallels Plesk Panel 9.x, 9.5x and 10 include this vulnerability. Parallels will issue Micro Updates (hotfixes) for 9.5.2 and 9.5.3 no later than 12:00 GMT (noon) on Thursday November 11, (7:00am EST in the US) to fix this. The patch for Parallels Plesk Panel 10.01 will be released at 17:00 GMT on Thursday November 11, (12:00pm EST in the US). Patches for Plesk 9.0, 9.22, and 9.3 will be posted by 12 noon GMT on Friday November 12, (7am EST in the US). Parallels updates on this will be coming soon.
MORE INFORMATION:
Updating to ProFTPD version 1.3.3c or disabling FTP services is the only current solution to this vulnerability.
ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.
The update also fixes a directory traversal vulnerability which can only be exploited if the “mod_site_misc” module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.
A remote root exploit is available: [Full-disclosure]ProFTPD IAC Remote Root Exploit
A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below.
# w get -O - http://www.atomicorp.com/installers/atomic |sh # yum upgrade psa-proftpd
Red Hat a anuntat disponibilitatea Red Hat Enterprise Linux (RHEL) versiunea 6.
Red Hat, Inc, the world’s leading provider of open source solutions, today announced the general availability of Red Hat Enterprise Linux 6, the latest major release of the company’s flagship operating platform, setting the scene for its server operating systems for the next decade. With Red Hat Enterprise Linux 6, Red Hat defines new standards for commercial open source operating environments. Designed to support today’s flexible and varied enterprise architectures, Red Hat Enterprise Linux 6 delivers the comprehensive foundation customers need for physical, virtualized and cloud deployments.
Cu ocazia HostingCon, Vision Helpdesk ofera 20% discount prin cuponul hostingcon.
Vision Helpdesk este o aplicatie de suport, principalul atu fiind abilitatea de a gestiona cererile de suport pentru mai multe domenii.
Vodafone a lansat pe 16 iunie 2010 myDomain prin care oferă servicii de găzduire web, un urmaș al mai vechiului mydomain/myx de pe vremea Connex.
Sunt disponibile 4 pachete de găzduire:
– myDomain Start, pentru 3.99 Euro / lună;
– myDomain Extra, pentru 7.99 Euro / lună;
– myDomain Pro, pentru 11.99 Euro / lună;
– Hosting Business, pentru 17.99 Euro / lună.
Domeniile sunt incluse în pachetele de găzduire.
RoTLD va lansa in iunie un nou API pentru parteneri, documentatia e disponibila pe dev.rotld.ro
REST API este un serviciu web conform cu principiile REST (Representational State Transfer) si accesibil folosind protocolul http.
Serviciul este securizat TLS si necesita autentificare. Autentificarea se bazeaza pe HTTP Digest. Cheia este generata RSA pe 1024 biti. Certificatul este emis in regie proprie, scopul sau fiind strict asigurarea encriptarii si decriptarii datelor transmise pe conexiunea http.
API-ul este dezvoltat in Python si este construit pe platforma open source Twisted Matrix (http://twistedmatrix.com).
Este construit pe trei nivele (application layers):
– aplicatia de tip server web care primeste cereri si ofera raspunsuri. Ruleaza pe mai multe instante si ofera load-balancing. Conexiunile pe server sunt persistente pentru a mentine coeziunea sesiunii. Load-balancing-ul este asigurat de Red Hat Piranha (http://www.redhat.com/support/wpapers/piranha/x32.html).
– aplicatia de tip middleware, un conglomerat de aplicatii care asigura interpretarea cererii, sanitizarea datelor, ssl offloading-ul, preventia flood-ului, formatarea raspunsului, etc. Tot la acest nivel este implementat sistemul de loguri si de monitorizare in timp real folosind o baza de date orientata pe documente (MongoDB).
– aplicatia de tip database middleware. Asigura conexiunea si mecanismele de interogare a bazelor de date. Aceasta aplicatie este conforma cu specificatiile DB API 2.0 (http://www.python.org/dev/peps/pep-0249/), interogarile facandu-se in mod asincron si fara blocaje. DB API 2.0 permite o eficienta si viteza sporita. Sincronizarea datelor si rezultatelor obtinute din interogari se face la nivelul superior (middleware application layer) descris la punctul anterior.Cererile pe serverul web sunt trimise folosind POST. Cererile de tip GET, HEADER, PUT, DELETE, UPDATE nu sunt acceptate.
Raspunsul la cereri este oferit in doua formate: JSON si XML.
Pe server centos/cPanel/exim email-urile trimise functioneaza doar catre adrese de email externe, cele catre email-uri apartinand domeniului propriu nu ajung.
In log-uri apare:
/dev/null R=central_filter T=**bypassed**
Problema apare din cauza filtrelor de email definite incorect in cPanel, le dezactivam si email-urile vor functiona.
La modificarea spatiului alocat unei casute de email din interfata cPanel apare eroarea: invalid maildirsize file
Rezolvarea simpla consta in stergerea fisierului maildirsize aflat in
/home/cont_cpanel/mail/adresa@email/
Pentru luna curenta, urmatoarele cupoane de reducere sunt disponibile de la namecheap:
Domenii .com la 8.81$ – cupon: SNOWNEEDLE
Transferuri la 6.99$ – cupon: SWITCH2NC
