Learn about Centmin Mod LEMP Stack today
Become a Member

Security Important Security Updates for Centmin Mod LEMP Users - OpenSSL, LibreSSL & ImageMagick

Discussion in 'Centmin Mod News' started by eva2000, May 6, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    5:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    OpenSSL/LibreSSL & ImageMagick Security Updates



    Centmin Mod LEMP stack users have 3 security updates they need to do for ImageMagick, OpenSSL and LibreSSL. You will want to update to latest code base for either Centmin Mod 123.08stable or 123.09beta01 via centmin.sh menu option 23 (outlined further below) before following the steps to update ImageMagick and recompile PHP-FPM (centmin.sh menu option 5) and recompile Nginx against newer fixed OpenSSL 1.0.2h or LibreSSL 2.3.4 (centmin.sh menu option 4).

    You can read and follow steps in respective threads below:
    Forum users who elected to receive forum announced emails, would have gotten an email recently for these three security alerts. To ensure these emails reach your inbox, please add the email's from address to your contact list and for Gmail/Google App users setup a filter to mark emails from that sent forum email address as 'Not Spam'. This will ensure you properly receive such Centmin Mod and CentOS related security updates which are relevant to your Centmin Mod LEMP stack install.

    Under forum Account Privacy settings you elect to receive forum mailings.


    upload_2016-5-6_22-19-28.png

    Order of Announcement Alerts



    Alerts will always come first in this order, forum announcements, forum email announcements, social media accouncements then centminmod.com site announcements. And in future I will setup a email newsletter for subscribing to and Premium membership funding permitted, may also setup SMS text alerts.

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.
    So essentially, you can upgrade from .07 to .08 in place, but not everything is upgraded as some things like server initial environment setup isn't changed i.e. how swap, tmp setup and allocation are created etc. The main parts from part 2 above are what in place upgrades do i.e. Nginx and PHP-FPM compilation and config/settings parameters and MariaDB version from 5.5 to 10.0.x. If you want the full environment changed including tmp and swap setup to .08's configuration, then you would need a fresh OS install and fresh .08 initial install. You can think of it like upgrading Windows 7 to Windows 8. An in place upgrade will upgrade code but won't change your computer environment from when you installed Windows 7 i.e. disk configuration and partition sizes won't change from when you initially installed Windows 7. Only way to change that would be fresh Windows 8 install.
     
    Last edited: May 6, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    5:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    User Account Password Resets



    Due to nature of OpenSSL security vulnerability and as a precaution only, I am resetting forum user's account passwords within ~48hrs of this post. So please ensure, your forum account emails are valid and working to receive the password reset email notice :)

    You can also change your passwords yourself at https://community.centminmod.com/account/security before the mass reset. A 2nd reset will happen in ~48hrs time still though.
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    5:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Password reset emails have now been sent :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    5:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CentOS 6.x OpenSSL system yum package has a fixed version available now but only via CentOS Continuous Release (CR) YUM repo due to CentOS 6.8 pending release. There will be no OpenSSL fixed system yum package for CentOS 6.7 and below in main default YUM repos so need to use CR YUM repo as outlined here Security - OpenSSL 1.0.h & Updating Centmin Mod Nginx SSL Support

    CentOS 7.x users have OpenSSL system yum update via default main YUM repo ~9 days ago. So simple yum update would do it Security - OpenSSL 1.0.h & Updating Centmin Mod Nginx SSL Support
     
Thread Status:
Not open for further replies.