Webuzo 2.7.2 Launched

Hi,

The Webuzo Team has released Webuzo 2.7.2.
This version introduces a major new Feature, many improvements & bug fixes.

Features:

1) Added Server Reboot utility for users to reboot their servers from panel itself without need to reboot from commandline.

2) Made a wizard to configure the Webuzo panel and Email server certificate with a Let’s Encrypt Certificate.*

3) Added Email Autoresponder utility for setting auto reply emails for user email accounts.*

4) Migration utility has been added so that users can migrate Webuzo panel from one server to another server.

Improvements:

5) Webuzo Default WebMail Client – SquirrelMail has been replaced with Rainloop.

Bug Fixes:

6) Webuzo Backup filenames were not displayed in Webuzo Backup success emails as well as Webuzo backup error messages were not displayed in Webuzo Backup failure emails, this has been fixed.

App Updates:

7) Updated Exim

* Exim must be updated to the latest version

The upcoming version will bring more exciting Improvements, features and changes.

Regards,
The Webuzo Team

Tomcat 9.0 Launched

Hi,

The Webuzo Team has launched Tomcat 9, the latest version of Tomcat.

Apache Tomcat 9.0.x requires Java 8 or later. Apache Tomcat 8.0.x and 8.5.x required Java 7.

Apache Tomcat 9 now supports the following:

  • Java Servlet 4.0
  • JavaServer Pages 2.4
  • Java Unified Expression Language 3.1
  • Java API for WebSocket 2.0

If you want to learn more about Tomcat 9 features then please visit the official site of tomcat on this link below:
http://tomcat.apache.org

Let us know if you have any queries regarding Tomcat 9 in the comment section.

Regards,
Webuzo Team.

MySQL 8.0 Launched

Hi,

Webuzo Team has launched MySQL 8.0, the latest version of MySQL. It is available for both Ubuntu and CentOS.

A lot of important new features have been added in this version. You will find everything you need to know about these amazing new features on this link https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html

Please note these following points:

– Currently, We are not providing upgrades to MySQL 8.0 from any version of MySQL, Percona or MariaDB.
– Only Fresh installation’s of MySQL 8.0 are allowed, so If you have an existing Database then you may not be able to install MySQL 8.0
– Since we are installing MySQL 8.0 from the Vendor’s repo itself, MySQL will update itself whenever the OS updates.

Let us know if you have any queries regarding MySQL 8.0 in the comment section.

Regards,
Webuzo Team.

Webuzo 2.7.1 Launched

Hi,

The Webuzo Team has released Webuzo 2.7.1.
This version introduces a major new Feature many improvements & bug fixes.

Features:

1) Apache Subversion Management(SCM) integrated into Webuzo. Refer this guide to bring your code under Source Control Management.

2) New Architecture for Application Managers to provide fast updates, bug fixes and security patches outside Webuzo releases.

Improvements:

3) Let’s Encrypt Certificate’s will now be updated 30 days before the renewal date.

4) Updated the Let’s Encrypt utility(ACME.SH) which is used to issue and renew certificate.

5) Application Config editor’s can now be resized freely instead of a fixed size.

6) Optimized Pure-FTPd quota check to reduce server load.

7) While downloading backup files Browser’s will now display the total file size and the time to download.

8) Added a CLI utility to make Webuzo aware of the backups files uploaded in the /var/webuzo/backup directory. Refer this guide for more information

9) Exim and Dovecot now support SSL/TLS connections. *

Bug Fixes:

10) Fixed many bugs related to Apache Tomcat Management and configuration.

11) If PHP is running as a service, then editing it’s config file will trigger a restart.

12) Webuzo and numerous other Application service files have been updated so that the service will start up even after a hard reboot. It’s recommended to update all the Applications to the latest version.

13) When multiple Web Servers were installed, restarting the server would cause the non-default Web Server to start up on some servers, this is now fixed.

14) Let’s Encrypt certificate used for the panel was not reloaded after the renewal process, required a manual restart of the Webuzo service, this is now done automatically.

App Updates:

15) Node.js updated to the latest LTS release. Refer this guide to configure Node.js in Webuzo #

16) MariaDB 10.3 the latest version in the 10.x series, launched .

17) Updated Pure-FTPd to the latest LTS release.

18) MySQL 8.0 launched, the latest version by the MySQL Community in the 8.X series.

19) Updated Tomcat 7 & 8 to the latest version.

* Both APP’s must be updated to the latest version
# This is a generic configuration, steps for your application might vary.

The upcoming version will bring more exciting Improvements, features and changes.

Regards,
The Webuzo Team

OpenSSL Vulnerability [CVE-2018-0732 & CVE-2018-0737]

Hi,

We have updated OpenSSL to the latest LTS version: 1.0.2 p

The above update includes fix for the following Vulnerabilities:

CVE-2018-0732:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

Find more info at: https://nvd.nist.gov/vuln/detail/CVE-2018-0732

CVE-2018-0737:
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

Find more info at: https://nvd.nist.gov/vuln/detail/CVE-2018-0737

We recommend all users to update OpenSSL, Webserver and related Libraries to protect your server against the above attacks.

Let me know if you have any questions in the comment section.

Regards,
The Webuzo Team

MariaDB 10.3 launched

Hi,

The Webuzo Team has launched MariaDB 10.3 the latest version in the 10.x series.

Maria DB is an open-source alternative to MySQL by the original developer of MySQL.

Get more info on the Maria DB project at the following link: MariaDB Org

You can check if Maria DB fits your needs or not by checking the Release Notes & Change Logs

Upgrades from the following versions of MySQL and MariaDB is allowed:

MySQL – 5.5 – 5.6
Maria DB – 5.5, 10.0 – 10.2

And of course, you can install Maria DB 10.3 as a fresh installation.

Note: After Upgrading or Installing Maria DB 10.3 you cannot downgrade to any version of MySQL or MariaDB

Let me know if you have any questions in the comment section.

Regards,
The Webuzo Team

How to configure Mod Security with Apache 2.2

Hi,

ModSecurity™ is a web application firewall engine that provides protection from XSS attacks as well as SQL injection attacks.

Before starting the configuration please make sure you have git installed, if you don’t have installed it on your server, install it via the following command:
For Ubuntu:

apt-get install git

For Cent OS:

yum install git

Follow the below steps to configure:

  • First the Download the rules required for ModSecurity™ configuration via following link:
    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
  • Navigate into the downloaded directory. Rename crs-setup.conf.example to crs-setup.conf. Then move the rules/ directory as well as the crs-setup.conf file to the Apache configuration directory.
    cd owasp-modsecurity-crs
    mv crs-setup.conf  /usr/local/apps/apache/etc/conf.d/
    mv rules/ /usr/local/apps/apache/etc/conf.d
  • Create a file named security.conf in the Apache Configuration Directory: /usr/local/apps/apache/etc/conf.d/ and add the following content
    LoadModule security2_module modules/mod_security2.so
    LoadModule unique_id_module modules/mod_unique_id.so
    
    <IfModule security2_module>
            SecDataDir /var/cache/modsecurity
            Include /usr/local/apps/apache/etc/conf.d/rules/*.conf
    </IfModule>
  • Finally create a configuration file named mod_security.conf in the Apache Configuration Directory: /usr/local/apps/apache/etc/conf.d/ for the module itself, add the following content to the file
    Content for mod_security.conf
  • Now restart Apache to load all the configuration files using the following command:
    service httpd restart

Testing the configuration :

Once everything is configured properly, test mod_security module by sending some malicious requests to Apache web server and see if the requests are being blocked or not.

Visit the following URL in the browser

 http://your-doamin/?q="><script>alert(1)</script> 

You should see a 403 Forbidden response displayed by the browser.



403 Forbidden

Forbidden

You don't have permission to access / on this server.


Apache Server at {YOUR_IP} Port 80

Note: Please make sure you have index.php or index.html in the root directory of your domain

Webuzo System Application: MySQL (5.5 – 5.6) Updated

Hi,

The Webuzo team has launched updated version of MySQL in 5.5 & 5.6 branch.

Change log for MySQL 5.5.60 can be checked at the following link:
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html

Change log for MySQL 5.6.40 can be checked at the following link:
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-40.html

Let me know in the comments if you are facing any issues with the upgrade, I will try to answer as many as I can.

Regards,
The Webuzo Team

Webuzo System Applications : PHP (5.6 – 7.2) Updated

Hi,

The last update to the all the PHP versions was supposed to fix the Hard Reboot issue if PHP was running as a FPM service.

Due to a bug the issue was not fixed and it continued to exist, today after reviewing the bug the team has launched all the PHP versions with updated service file to fix the Hard Reboot issue.

If you have installed multiple PHP version’s we encourage you to update all the PHP’s instead of the default one as the fix requires all the PHP’s installed on your server to have the updated service for the fix to work correctly.

Lastly, we have an version update for PHP 7.2:
Change log for PHP 7.2 can be checked at the following link:
http://sg2.php.net/ChangeLog-7.php#7.2.7

We hope this update fixes most of the 50x errors encountered for your websites.

Let me know in the comments if you are facing any issues with the upgrade or want to know more about the new service file, I will try to answer as many as I can.

Regards,
The Webuzo Team

Webuzo System Application: phpMyAdmin 4.8.2 Launched

Hi,

The Webuzo Team has launched phpMyAdmin 4.8.2 the latest version in the release branch.

Please check the change log below:

The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement.

A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature.

In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:

  • WHERE 0 clause causes a fatal error
  • Fix missing “INDEX” icon

Known issues:

  • Unable to log in with MySQL 8.0.11 (bug #14220, see also https://bugs.php.net/bug.php?id=76243)
  • A few users have reported being unable to log in with a persistent error message “Failed to set session cookie. Maybe you are using HTTP instead of HTTPS”. In some cases, clearing the phpMyAdmin cookies (‘pma*’) resolves the issue.

If you have any questions regarding the upgrade or any issues after upgrade let me know in the comments.

Regards,
The Webuzo Team