SEO Hosting FAQFlexible SEO Hosting – Pay only for what you need!

EasyApache to Install Apache 2.4 in Basic Profile – 60 Day Notice

September 23rd, 2014

In approximately 60 days, the Basic profile in EasyApache will build Apache 2.4 by default. This change will not alter existing EasyApache profiles that build Apache 2.2. If you plan to update from an existing Apache 2.2 installation to Apache 2.4, we strongly recommend that you build in a test environment before you migrate Apache versions on a production server.

Review the following links for more information on the differences between Apache 2.2 and 2.4:

http://documentation.cpanel.net/display/EA/Critical+Changes+In+Apache+2.4

http://httpd.apache.org/docs/trunk/upgrading.html

cPanel EasyApache 3.26.8 Released

September 23rd, 2014

cPanel, Inc. has released EasyApache 3.26.8 with Curl version 7.38. This release addresses vulnerabilities related to CVE-2014-3613 and CVE-2014-3620.

AFFECTED VERSIONS
All versions of Curl 7.1 through 7.37.1

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-3613 – MEDIUM

Curl 7.38
Fixed bug in libcurl related to CVE-2014-0118.

CVE-2014-3620 – MEDIUM

Curl 7.38
Fixed bug in libcurl related to CVE-2014-0231.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.8 with an updated version of Curl to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Curl.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3613

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3620

http://curl.haxx.se/docs/security.html#20140910A

cPanel EasyApache 3.26.7 Released

September 5th, 2014

cPanel, Inc. has released EasyApache 3.26.7 with Apache version 2.2.29. This release addresses vulnerabilities CVE-2014-0118, CVE-2014-0231, CVE-2014-0226 and CVE-2013-5704. We encourage all Apache 2.2 users to upgrade to Apache version 2.2.29.

AFFECTED VERSIONS
All versions of Apache 2.2 before version 2.2.29.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0118 – MEDIUM

Apache 2.2.29
Fixed bug in the Deflate module related to CVE-2014-0118.

CVE-2014-0231 – MEDIUM

Apache 2.2.29
Fixed bug in the CGID module related to CVE-2014-0231.

CVE-2014-0226 – MEDIUM

Apache 2.2.29
Fixed a race condition related to CVE-2014-0226.

CVE-2013-5704 – MEDIUM

Apache 2.2.29
Fixed a bug in the Headers module related to CVE-2013-5704.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.7 with an updated version of Apache 2.2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5704

http://apache.cs.utah.edu//httpd/CHANGES_2.2.29

cPanel & WHM 11.44 Now in STABLE Tier

August 21st, 2014

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which will soon be available in the STABLE tier.

cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.

Transfer & Restore Renovation
From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.

Configuration Clusters
cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.

Paper Lantern
With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.

Support Access
Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.

Detailed information on all cPanel & WHM 11.44 features can be found at https://documentation.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

EasyApache 3.26.3 Released

July 29th, 2014

cPanel, Inc. has released EasyApache 3.26.3 with PHP version 5.5.15, Libxslt version 1.1.28 and Libxml2 version 2.9.1. This release addresses PHP vulnerability CVE-2014-4670 by fixing a bug in the SPL component, CVE-2012-6139 by fixing a bug in Libxslt, and fixes bugs in Libxml2 to address the following CVEs: CVE-2012-5134, CVE-2013-0338, CVE-2013-0339, CVE-2013-1969, and CVE-2013-2877. We encourage all PHP 5.5 users to upgrade to PHP version 5.5.15, and all users to upgrade to Libxslt version 1.1.28 and Libxml2 version 2.9.1.

AFFECTED VERSIONS
All versions of PHP 5.5 before 5.5.15.
All versions of Libxslt before 1.1.28.
All versions of Libxml2 before 2.9.1.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-4670 – MEDIUM

PHP 5.5.15
Fixed a bug in the SPL component related to CVE-2014-4670.

CVE-2012-6139 – MEDIUM

Libxslt 1.1.28
Fixed a bug in the Libxslt library related to CVE-2012-6139.

CVE-2012-5134 – MEDIUM

Libxml2 2.9.1
Fixed an out of bound access bug in the Libxml2 library related to CVE-2012-5134.

CVE-2013-0338 – MEDIUM

Libxml2 2.9.1
Fixed a bug in the Libxml2 library related to CVE-2013-0338.

CVE-2013-0339 – MEDIUM

Libxml2 2.9.1
Fixed a bug in the Libxml2 library related to CVE-2013-0339.

CVE-2013-1969 – HIGH

Libxml2 2.9.1
Fixed buffer conversion bugs related to CVE-2013-1969.

CVE-2013-2877 – MEDIUM

Libxml2 2.9.1
Fixed a bug in the Libxml2 library related to CVE-2013-2877.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.3 with updated versions of PHP 5.5, Libxslt and Libxml2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest versions of PHP, Libxslt and Libxml2.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4670

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6139

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5134

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0338

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0339

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1969

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2877

http://php.net/ChangeLog-5.php#5.5.15

http://xmlsoft.org/ChangeLog.html

http://xmlsoft.org/Libxslt/ChangeLog.html

Beware of These 4 Common and Dangerous Cyberattacks

July 24th, 2014

Last week Google unveiled Project Zero, a new team dedicated to making Internet users less vulnerable to cyberattacks. From Heartbleed to Cryptolocker, the headlines are increasingly full of news about scary new threats that target the average Internet user.

“You know to delete that email that tells you you’ve won the lottery, so attackers have to change their approach over time,” Chris Weber, the co-founder of Casaba Security, told NBC News. “But really, these are new spins on old kinds of attacks.”

Here are four common and dangerous types of cyberattacks to watch out for — and how to avoid or fix them.

Ransomware

What it looks like: Ransomware falls under the large cyberattack umbrella of “malware” –- malicious software — and it’s a particularly scary brand. It locks up a victim’s computer files and demands payment in exchange for unlocking them.

Internet Danger: What Is Ransomware?

Victims of ransomware usually see a pop-up warning that overtakes the device’s screen, blocking access and encrypting files. The message demands the victim pay hundreds of dollars to unlock the files and regain access to the computer.

What to do: While it’s tempting to pay the ransom, security experts say that’s a bad idea: There’s no guarantee the crooks will actually free the files, and funding criminal activity only fuels it.

Ransomware victims can try to remove the malicious program themselves using anti-virus software, or take the infected device to a computer repair shop. If the ransomware can be removed, sometimes that’s all that’s needed: if the files weren’t actually encrypted, they would be accessible again. But if the files were indeed encrypted as threatened, removing the ransomware won’t change that.

“Unfortunately this is one of those cases when if your data has been encrypted, there’s just nothing you can really do,” Kevin Johnson, the CEO of cybersecurity consultancy Secure Ideas.

As with most malware, ransomware is often unwittingly downloaded when users open email attachments or click on links, so as always caution is advised.

Sketchy video sites that ask you to install a “codec” or update

What it is: Didn’t feel like paying to stream that new movie, eh? It can be tempting to watch it for “free” on a website that streams pirated video, but these disreputable sites are sometimes filled with potential cyberattacks.

In this type of attack, victims click what looks like a regular video player in an attempt to stream the content. But then a message pops up telling the user to install a “codec” or other kind of update in order to view the video. Victims who download the so-called update are actually installing malware on their own computers.

What to do: Be wary of any message that pushes you to download something in order to view a video. And it’s not only sketchy “free video” sites: spammy viral video clips that make their way around Facebook could also be malicious. (One of the exceptions is Netflix, which uses Microsoft Silverlight to stream video.)

“You really have very few reasons to have to install anything to watch content on the Internet,” Dave Aitel, the CEO of security firm Immunity Inc., told NBC News. “But people say, ‘I really want to watch that show, so I’ll click until the clip starts playing.'”

Malicious links in messaging apps and social networks

What it is: This threat is perhaps the most similar to attack methods that have been around a while. That old spam email that contains a malicious link or attachment isn’t dead; it has simply moved to networks where people are active, and where they think they can trust a network of friends.

“We know to be more careful about email, but getting infected now isn’t like it used to be,” Raj Samani, the chief technology officer for McAfee’s EMEA region, told NBC News. “It could be a link in a LinkedIn connection request that looks legitimate, or a Twitter direct message that is supposedly from a friend.”

On a mobile device,the malicious software could harvest contact information, secretly send calls and send texts to premium numbers and track a user’s location, for example.

What to do: Beyond the standard advice to avoid clicking on suspect links and files, Samani suggests mobile phone users install anti-virus programs that could catch the threats.

“Anti-virus is standard for most people on their desktop or laptop, but how many people do you know have it installed on mobile?” Samani said. His employer — McAfee — offers a free version of mobile anti-virus, as do companies such as Avast.



Fake Flappy Bird (and other popular apps)

What it is: The addictively simple (and temporarily pulled) mobile game Flappy Bird is lots of fun — but the hundreds of malicious clone apps lurking in app stores are quite the opposite.

“When an app gets even halfway popular — much less something as viral as Flappy Bird — app stores get so flooded that it’s hard to find the legitimate one,” Aitel said.

In Flappy Bird’s case, a report released last month from anti-virus company McAfee said hundreds of clones emerged in the first quarter of 2014 (after the legitimate app’s creator took it down). McAfee tested 300 of the clones and found that almost 80 percent of them contained malware.

Once downloaded, those malicious clones did very bad things with the victims’ phones, and in the worst cases, the malware gained full control of the infected device.

What to do: Carefully check before downloading an app from an app store: Check the creator’s name, the app’s description and the reviews among other information. Avoid giving any app sweeping permission to access parts of the phone, as tempting as it is to simply keep clicking “yes.” As with the previous threat, mobile anti-virus software can help mitigate or avoid the damage.

By Julianne Pepitone

EasyApache 3.26.2 Released

July 24th, 2014

SUMMARY
cPanel, Inc. has released EasyApache 3.26.2 with Apache version 2.4.10. This release addresses Apache vulnerabilities CVE-2014-0117, CVE-2014-0226, CVE-2014-0118, and CVE-2014-0231 by fixing bugs in the mod_proxy, mod_deflate, and mod_cgid modules. We encourage all Apache 2.4 users to upgrade to Apache version 2.4.10.

AFFECTED VERSIONS
All versions of Apache 2.4 before 2.4.10.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0117 – MEDIUM

Apache 2.4.10
Fixed bug in the mod_proxy module related to CVE-2014-0117.

CVE-2014-0226 – MEDIUM

Apache 2.4.10
Fixed a race condition related to CVE-2014-0226.

CVE-2014-0118 – MEDIUM

Apache 2.4.10
Fixed bug in the mod_deflate module related to CVE-2014-0118.

CVE-2014-0231 – MEDIUM

Apache 2.4.10
Fixed bug in the mod_cgid module related to CVE-2014-0231.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.2 with an updated version of Apache 2.4 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0117

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231

https://www.apache.org/dist/httpd/CHANGES_2.4

Google Aims To Make The Internet Safer With Its New Security Team, Project Zero

July 23rd, 2014

(The Hosting News) – Google has created a new team of security researchers with the goal of making the Internet safer by reducing the number of people harmed during zero-day attacks.

The new security team, Project Zero, is a team of highly skilled, full-time researchers that works toward locating and reporting large numbers of security threats.

“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” says Google “Researcher Herder” Chris Evans via blog post. “We think more can be done to tackle this problem.”

Evans notes that Project Zero isn’t restricted to finding vulnerabilities in only Google products. The team will work to discover bugs in other software that is widely used, paying attention to “techniques, targets and motivations of attackers.”

The information found will be stored in an external database where the vendors of the compromised software will be notified. Once a patch is made available, the team will release the information to the public, allowing users to discuss the vulnerability and see how long it took the vendor to patch the bug.

Google is currently looking for researchers for Project Zero, though they did not offer information on how to apply.

EasyApache 3.26 Released

July 17th, 2014

We are happy to announce the release of EasyApache 3.26 for cPanel & WHM. EasyApache 3.26 features a redesigned profile page that is easier to use and more informative.

EasyApache’s redesigned profile page includes cPanel & WHM’s new Optimal Profiles. The new Optimal Profiles include the recommended versions of PHP and Apache, and the modules that ensure that your EasyApache build is more secure and reliable. The new Optimal Profiles are tailored to your operating system and include profiles that we designed for the CloudLinux operating system. “Our Optimal Profiles help ensure a higher level of safety for our customers,” said the cPanel EasyApache Team.

For the most secure environment, we recommend that you use EasyApache’s new MPM ITK Optimal Profile for CloudLinux. This profile utilizes EasyApache 3.26’s new Apache MPM ITK option. The Apache MPM ITK option is available for CentOS, but does not include the additional security that the CloudLinux operating system provides. For more information on CloudLinux, visit http://cloudlinux.com.
______________________________

EasyApache 3.24.22 Released

July 1st, 2014

SUMMARY
cPanel, Inc. has released EasyApache 3.24.22 with PHP 5.4.30 and 5.5.14. This release addresses multiple PHP vulnerabilities in the PHP core code and the Fileinfo, Network, and SPL modules. We encourage all PHP users to upgrade to PHP 5.4.30 and PHP 5.5.14.

AFFECTED VERSIONS
All versions of PHP 5.4 before 5.4.30.
All versions of PHP 5.5 before 5.5.14.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-3981 – LOW

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the PHP core code related to CVE-2014-3981.

CVE-2014-0207 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-0207.

CVE-2014-3478 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3478.

CVE-2014-3479 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3479.

CVE-2014-3480 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3480.

CVE-2014-3487 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3487.

CVE-2014-4049 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Network module related to CVE-2014-4049.

CVE-2014-3515 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the SPL module related to CVE-2014-3515.

SOLUTION
cPanel, Inc. has released EasyApache 3.24.22 with an updated version of PHP 5.4 and PHP 5.5 to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3981

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3478

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3479

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3480

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3487

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4049

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515

http://www.php.net/ChangeLog-5.php#5.4.30

http://www.php.net/ChangeLog-5.php#5.5.14

Parallels Plesk 12 Makes Web Servers More Valuable

June 18th, 2014

Parallels Plesk 12 Makes Web Servers More Valuable

Parallels Plesk 12 Makes Web Servers More Valuable

(The Hosting News) – Parallels, the platform provider for cloud service delivery, today launched Parallels Plesk 12, featuring a powerful new security core, a full-featured WordPress Toolkit and four distinct editions of the software designed to deliver targeted functionality to web administrators, application developers, web professionals and hosting service providers.

Each new edition of Plesk 12 simplifies core web management tasks that better align with the way infrastructure is being used for hosting websites and web applications today. A new security core based on ModSecurity rules by Atomicorp provides server-to-site security and the new WordPress Toolkit will help hosters capture the growth in WordPress hosting.

“The hosted and cloud infrastructure industry is in a period of dynamic change, creating new opportunities for our partners,” said Birger Steen, chief executive officer, Parallels. “Plesk 12 gives service providers an easy way to turn commodity infrastructure into compelling solutions that solve real customer problems.”

Four new editions:

•Parallels Plesk Web Admin Edition – Optimized for hosting self-managed sites, this edition enables web administrators to easily manage their own server, websites, domains, email and more.

•Parallels Plesk Web App Edition – Optimized for hosting web applications, this edition enables web application developers to control application access rights with custom view management, manage servers and domains from any mobile device and deliver complete server-to-site security for protection from common scripted attacks against software.

•Parallels Plesk Web Pro Edition – Optimized for web professionals and digital agencies managing and hosting WordPress sites, this edition offers mass-management and security tools for WordPress hosting, server, account and WordPress management from any mobile device, and complete server-to-site security for protection from automated attacks against WordPress.
•Parallels Plesk Web Host Edition – Optimized for service providers who are hosting and reselling unmanaged shared accounts, this edition offers support for multi-tenant, high-density shared hosting, with upgraded reseller, subscription and account management tools, integrated supportability and security tools for WordPress hosting and complete server-to-site security for protection from malicious use.

Key functionality enhancements:

Capture WordPress Hosting Growth with Integrated Tools. The WordPress Toolkit simplifies daily tasks required to manage and secure WordPress sites. With Plesk 12 and the WordPress Toolkit, you will enable customers to:
•Manage multiple WordPress installations, plugins, and themes from a single point of entry
•Easily install, update, and remove WordPress, plus activate and remove plugins and themes
•Securely install WordPress and harden existing WordPress installations, applying the most common recommended security settings with rollback support

Reduce Support Calls with Secure Infrastructure. The new Security Core in Plesk 12 combines ModSecurity, Fail2Ban and Outbound Antispam tools allowing you to deliver server-to-site security out of the box. With the Plesk 12 Security Core on your servers you get:
•Secure servers that protect against persistent attacks targeting known or newly discovered vulnerabilities
•Increased uptime as malicious attacks against your servers are automatically blocked in real time
•Cleaner IP addresses with outgoing spam protection preventing your servers from being blacklisted

With Plesk 12, Parallels global partners such as 1&1 Internet Inc., Conetix, GMO Cloud KK, HostMySite, LeaseWeb, PacHosting, RIDE and STRATO see Plesk 12 delivering a tightly integrated set of mass-management and security tools to help them profit from the growing demand for WordPress hosting.

1&1

“With Parallels, 1&1 has a partner who shares our vision for optimizing performance for key server user groups,” said Hans Nijholt, head of server product management, 1&1 Internet, Inc. “For our customers to realize the full potential of 1&1’s work and investments – such as best-in-class server hardware, CPUs and network infrastructure – a world-class control panel is needed, and Plesk 12 delivers just that. Plesk 12 is the perfect complement to our server line-up and from today we are proud to provide it free with all types of 1&1 servers in all our markets.”

Conetix

“After 10 years of deploying Parallels Plesk, I believe Plesk 12 delivers the ultimate all-round solution for web designers, developers and digital agencies,” said Jamin Andrews, chief executive officer, Conetix. “Our clients are after a solution that is flexible, easy to manage and ahead of the game – Plesk 12 with the new WordPress Toolkit and built-in Security Core offers all this.”

GMO Cloud KK

“With the introduction of four new editions tailored to customer usage patterns, Plesk 12 enables us to offer services which are more valuable and easier to understand for the customers than ever,” said Minoru Karasawa, group chief technology officer and director, GMO Cloud K.K. “At GMO Cloud, we believe that Plesk 12 would allow us to take a strong step forward in actively approaching a new market including web professionals as well as providing secure and useful hosting services.”

HostMySite

“Plesk 12 makes it easier than ever to manage and secure WordPress hosted sites,” said John Enright, president, HostMySite. “It provides our customers with an interface that is optimized for how they use and deploy web applications and it enables us to go beyond basic infrastructure services and allows us to provide complete hosted application solutions.”

LeaseWeb

“As a long-time Parallels partner with over 60,000 physical servers under management, we put Plesk 12 to the test from an early stage and we really fell in love with the innovations added to the latest version,” said Marc Burkels, manager, dedicated hosting, LeaseWeb. “With the new Plesk 12 editions, we are now able to expand our channel by delivering complete solutions to target audiences. The significantly improved security, enhanced functionality and focus on user-friendliness convinced us to make the new version available to all of our bare metal server customers on day one of launch. And within a few weeks, Plesk 12 will be added to our public, private and hybrid cloud offerings as well.”

PacHosting

“We have partnered with Parallels for over 10 years and we are very impressed by the new features in Plesk 12,” said Natalie Kong, business analyst, PacHosting. “The best part of Plesk 12 is the new security core with built-in Fail2Ban, ModSecurity and integrated firewall. This will bring a new level of enhanced security for our clients. In addition, the deep integration with WordPress, which meets the growing demand, will now become one of our strong selling points over our competitors.”

RIDE

“Plesk 12 enables us to provide a complete solution to meet our customers’ needs,” said Hiroya Nakano, chief executive officer, RIDE Co. Limited. “With the help of Plesk 12, we can differentiate our services with features such as the WordPress ToolKit and enhanced server-to-site security built-in. This will give greater satisfaction to our customers.”

STRATO

“After introducing the Haswell processor in the European market, STRATO confirms its leadership position with the latest version of Plesk,” said Christian Böing, chief executive officer, STRATO AG. “Our main goal remains to provide our customers with the latest software and hardware versions. The new Plesk 12 is the perfect complement to our servers and core mass-management and a security tool that can be used to profit from the growing demand for WordPress hosting. That makes us a reliable and professional hosting provider and allows us to differentiate ourselves from our competitors.”

For more information, you can visit www.parallels.com/plesk

About Parallels

Parallels® provides the platform for service providers to sell and deliver great cloud services to businesses worldwide and cross-platform solutions. Parallels began operations in 2000 and has developed into a fast-growing software company with more than 900 employees across offices in North America, Europe, Africa, Australia and Asia.

For more information, please visit www.parallels.com/spp, follow us on Twitter at www.twitter.com/ParallelsCloud, and Like Us on Facebook at www.facebook.com/ParallelsCloud

Patching OpenSSL for the Heartbleed Vulnerability

June 17th, 2014

A security vulnerability in OpenSSL dubbed Heartbleed has been found. This vulnerability was only recently discovered openly, but has been “in the wild” for over a year. It’s important to update your local version of OpenSSL to correct this issue. This brief guide will walk you through ensuring that the patch is installed on your Linode, and suggest additional steps you can take to ensure your server’s security. As always, we suggest having backups of your system prior to making any changes.

This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

Installing the Patched Version

Here are the steps for ensuring you have the patched versions of OpenSSL on our most popular distros. If you’ve compiled from source, you’ll want to compile and reinstall using version 1.0.1g. Alternately you can recompile previous versions with the OPENSSL_NO_HEARTBEATS flag enabled to close the vulnerability.

Ubuntu and Debian

1.Check to see what your current OpenSSL version is:
$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sat Feb 1 22:14:33 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector –param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,–noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/usr/lib/ssl”

Pay attention to the built on: line. Versions built before April 7th are vulnerable.

2.For Debian and Ubuntu systems, run these commands to update and upgrade your packages:
sudo apt-get update
sudo apt-get upgrade

3.During the upgrade, you may be given a prompt like the one below. This window warns you about the security issue, and lists services that utilize OpenSSL and need to be restarted to apply the patch. You can add any additional services, by matching the init.d script name in this field.

An option window..

If you do not receive this prompt, be sure to manually restart any services that use OpenSSL.

4.After updating, run openssl version -a again to confirm the newer build:
openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014

CentOS

1.Check to see what your current OpenSSL version is:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan 8 18:40:59 UTC 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: dynamic

Pay attention to the built on: line. Versions built before April 7th are vulnerable.

2.To update OpenSSL from the repositories, run:
yum -y install openssl

After updating, run openssl version -a again to confirm the newer build:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014

3.Be sure to manually restart any services that use OpenSSL.

Fedora

1.Check to see what your current OpenSSL version is:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Fri Dec 20 13:57:26 UTC 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: dynamic

Pay attention to the built on: line. Versions built before April 7th are vulnerable.

2.On Fedora systems, the patched version is currently being propagated through mirrors. You can update from the repositories with the following command:
sudo yum -y install openssl

You can also directly download the patched version and install it manually. For Fedora 20 (64-bit), run the following set of commands to install the patched version:
sudo yum -y install koji
koji download-build –arch=x86_64 openssl-1.0.1e-37.fc20.1
sudo yum localinstall openssl-libs-1.0.1e-37.fc20.1.x86_64.rpm openssl-1.0.1e-37.fc20.1.x86_64.rpm

3.After updating, run openssl version -a again to confirm the newer build:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 00:32:22 UTC 2014

4.Be sure to manually restart any services that use OpenSSL.

Reissue Certificates

The Heartbleed security bug would allow an attacker to read a portion of the memory on an unprotected system, including private keys used in SSL key pairs. It’s suggested that you reissue all key pairs, and revoke ones made previously. This can include keys used to create SSL certificates for web and mail servers. This means new SSL certificates should be generated or purchased.

You can follow the instructions here to create a new certificate signing request (CSR) and key, or check out the Apache-specific instructions here.

Additional Security Steps

While this security flaw has only recently been discovered openly, it has existed on many servers for well over a year. This means that any third party services you use that employ SSL encryption have been vulnerable. It’s suggested that you ensure that said services patch their systems, then reset your passwords.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Heartbleed.com

Specify Your C-Class IP Needs

Fill in the details below and we'll come back with an unbeatable offer for you.This information will not be shared with any third party.
Choose from 10-5000 C-Class IPs
Choose from 1 to 10 IPs per C-Class
* All fields are Required to be filled in before your request will be sent. Message:
captcha
*Type The Characters Above Into The Box On The Right


Privacy Policy