VestaCP 0.9.8-16 is out!
Finally! After again a long time of waiting there is the VestaCP 0.9.8-16 release! For me it’s somewhat unexpected, it is not really a major release but mainly a bug fix and refactor release. It is unexpected because there wasn’t activity around Vesta until last weekend. I haven’t take a look at the new changes, I just installed the new release so I’m wondering what it brings to us.
Refactoring & bug fixes
The Vesta team has done a complete refactoring of the code, and this has fixed a lot of bugs. One of them was a big security issue, due to a miss validation in the file manager was it possible to create a session file and get admin permission. From there you could change the admin password and log in as root over SSH. On a security audit, we did at our hosting company EmeraldCloudHosting all our servers in a specific IP range (188.166.*.*) were infected. They also used 1 of our domains to infect other servers. In our audit, we found seven other domains that were used to infect systems. They changed the password of the admin user to ‘admin’ or ‘admin123’. Our quick fix was to rename the file manager directory in the Vesta root. On our systems, they only changed the admin settings and did nothing else.
New features
When I take a quick look at the web panel, I can’t find any new features. When I take a deeper look at the API’s, I found finally the let’s encrypt integration! I currently have some issues when I try to create a certificate, and maybe it isn’t completely ready yet. A new feature is the Cronjob planner. For the beginning Linux users, this can help you better to understand and create your cronjob. You can select in human language when the jobs need to run, and thereafter the real cronjob command will be generated. Vesta CP cronjob planner.
The lets encrypt API’s are:
v-add-letsencrypt-domain USER DOMAIN [ALIASES] [RESTART]
v-add-letsencrypt-user USER [EMAIL]
v-check-letsencrypt-domain USER DOMAIN
v-list-letsencrypt-user USER [FORMAT]
v-sign-letsencrypt-csr USER DOMAIN CSR_DIR [FORMAT]
v-update-letsencrypt-ssl
Release note:
- Full keyboard control
- Cron Helper
- LetsEncrypt Support (cli-only)
- File permission in File Manager
- Handle DES passwords
- New templates for PHP-FPM
- New and more secure basic templates
- Core refactoring
- Roundcube password driver update
- Fix, restore script and names with “_”
- Fix, backup exclusions and domain name with number
- Fix, backup exclusions and numbers in path
- Fix, backup exclusions for cron
- Fix, delete forward mail
- Fix, CSR empty field error
- Correction for state of list services
- Fix SSL includes on Nginx
- NS fields update
- Adding domain corrections
- Update for cron command line and ‘\’ symbols
- Increased File Manager default limits
- UI fixes
- FTP credentials for long names with “_”
- FTP default permission changes
- Remove redundant quotes in .html files
- no-php.tpl files now more compatible with PHP7
- Exim auto reply fix
- Improve firewall rules
- Dozen bugfixes including security issues
- Language files update thanks to Clark Chen, Didier Roy, Flatta, Selim Can CABA, Nguyen Ngoc Phuong
- Thanks to Tjebbe Lievens, n1trux, Orwah Issa, SysVoid, vestingpanel, drsdre, martijnded, Rune Laenen, Azuya, olshek, Martin Raiola, rumi55, Flatta, Roman Florea, Roman Sadoyan, Maks Skamasle, Nikolay Didenko, dpeca and all our contributors
- Special thanks to security researcher Nicolas Grégoire (Agarri), Yury Maryshev (Positive Technologies), Oleg Petrov, Austin Morton, Kent (varuza)
“It is unexpected because there wasn’t activity around Vesta until last weekend”
Skid drove along refactor with master branch, it took a lot of time. And when it was done… pull, pull, pull and release.
Yeah, I know skid was doing a fantastic job, but we didn’t see anything until last week. A few days earlier I had no idea that the new release will come so fast.
The thing I love about VestaCP is that it s open sourced and available on Github so in this case I could read the code, trying to find a solution to my problem.