Join the community today
Become a Member

Security PHP 7.3.3, 7.2.16 & 7.1.27 & Nginx OpenSSL 1.1.1b Security Fix Releases

Discussion in 'Centmin Mod News' started by eva2000, Mar 7, 2019.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:12 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    PHP folks has released new versions for PHP security and bug fixes related releases today for PHP versions, 7.3.3, 7.2.16, and 7.1.27 and OpenSSL folks have released a OpenSSL CVE-2019-1543 Security Advisory which affects OpenSSL 1.1.1 branch used by Centmin Mod 123.09beta01 and newer's Nginx builds. I've also added backported PHP security patches from PHP 7.1.27 to PHP 5.6 builds in Centmin Mod 123.09beta01.


    OpenSSL 1.1.1 CVE-2019-1543 Security Fix



    I have updated Centmin Mod 123.09beta01 to patch fix OpenSSL 1.1.1b builds used by Nginx seeing as OpenSSL are not releasing a new version for the CVE-2019-1543 security issue. You can recompile/update Nginx via centmin.sh menu option 4 to update Nginx's OpenSSL 1.1.1b builds with the security patch fix.

    The Nginx version info output will still show OpenSSL 1.1.1b for CVE-2019-1543 security patched builds.

    PHP Releases


    Updating PHP On Centmin Mod LEMP Stacks


    • If you're on Centmin Mod 123.08stable and want PHP 7.1, 7.2, or 7.3 support, you will need to update your server from Centmin Mod 123.08stable to 123.09beta01 first. This can be done via centmin.sh menu option 23 submenu option 3 to switch Centmin Mod branches as outlined in 1st post under heading of How to switch to 123.09beta01 branch ? at Centmin Mod .09 beta branch Testing as well as official update page.
      Code (Text):
      --------------------------------------------------------
             Centmin Mod Updater Sub-Menu           
      --------------------------------------------------------
      1). Setup Centmin Mod Github Environment
      2). Update Centmin Mod Current Branch
      3). Update Centmin Mod Newer Branch
      4). Exit
      --------------------------------------------------------
      Enter option [ 1 - 4 ] 3
      --------------------------------------------------------
      
    • For Centmin Mod 123.09beta01 and newer, first update to latest version code via SSH command = cmupdate (same equivalent to centmin.sh menu option 23 submenu option 2 method). Then run centmin.sh menu option 5 to update to either PHP versions 7.3.3, 7.2.16 or 7.1.27. Example output from cmupdate SSH command run:
      Code (Text):
      cmupdate
      No local changes to save
      Updating 01d312a..5ae59d9
      Fast-forward
       addons/acmetool.sh                                                   | 20 ++++++++++++--------
       centmin.sh                                                           | 20 ++++++++++----------
       config/motd/dmotd.sh                                                 |  1 +
       example/custom_config.inc                                            | 18 +++++++++---------
       inc/centminfinish.inc                                                | 32 ++++++++++++++++++++++++++++++++
       inc/memcached_install.inc                                            | 13 +++++++++++++
       inc/nginx_configure.inc                                              |  1 +
       inc/nginx_upgrade.inc                                                |  2 +-
       inc/openssl_install.inc                                              | 26 ++++++++++++++++++++++++++
       inc/php_configure.inc                                                | 39 ++++++++++++++++++++++++++++++++++-----
       inc/shortcuts_install.inc                                            | 10 ++++++++++
       inc/sshd.inc                                                         |  2 +-
       patches/openssl/OpenSSL-1.1.1b-ChaCha20-Poly1305-CVE-2019-1543.patch | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
       13 files changed, 216 insertions(+), 34 deletions(-)
       create mode 100644 patches/openssl/OpenSSL-1.1.1b-ChaCha20-Poly1305-CVE-2019-1543.patch
      
    • If you are on Centmin Mod 123.08stable and concerned about losing customisations when you upgrade to Centmin Mod 123.09beta01, read this guide on how to upgrade and keep most of your customisations at How to upgrade Centmin Mod + backing up customisations.
    Centmin Mod 123.09beta01 PHP 7.3.1 update

    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB MySQL Upgrade & Management
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 5
    --------------------------------------------------------
    

    Code (Text):
    Do you want to run YUM install checks ?  [y/n]
    
    This will increase your upgrade duration time wise.
    Check the change log centminmod.com/changelog.html
    to see if any Nginx or PHP related new additions
    which require checking YUM prequisites are met.
    If no new additions made, you can skip the
    YUM install check to speed up upgrade time.
    
     [y/n]: n
    

    Code (Text):
    ----------------------------------------------------------------
    Install which version of PHP? (version i.e. 5.6.40, 7.0.34, NGDEBUG)
    PHP 7.x/7.1.x/7.2.x/7.3.x is GA Stable but still may have broken PHP extensions.
    NGDEBUG is PHP 7.4.0 dev builds minus incompatible PHP extensions
    ----------------------------------------------------------------
    Enter PHP Version number you want to upgrade/downgrade to: 7.3.3
    ----------------------------------------------------------------
    existing php.ini will be backed up at /usr/local/lib/php.ini-oldversion_050319-233511
    Want to update to latest php.conf ? (overwrites will auto backup existing php.conf)
    existing php.conf will be backed up at /usr/local/nginx/conf/php.conf-oldversion_050319-233511
    ----------------------------------------------------------------
    

    Code (Text):
    -----------------------------------------------------------------------------------------
    Detected PHP 7.3 branch.
    You can compile Zend OPcache (Zend Optimizer Plus+) support
    as an alternative to using APC Cache or Xcache cache.
    But Zend OPcache only provides PHP opcode cache and
    DOESN'T do data caching, so if your web apps such as Wordpress,
    Drupal or vBulletin require data caching to APC or Xcache,
    it won't work with Zend OPcache.
    
    -----------------------------------------------------------------------------------------
    Do you want to use Zend OPcache [y/n] ? y
    
    *************************************************
    * Zend Optimizer Plus OPcache configured
    *************************************************
    
    PHP 7+ detected which uses newer mysqlnd
    or PDO MySQL extensions and removed the
    legacy mysql extension. You can optionally
    re-add the removed legacy mysql extension
    to PHP 7+ by answering yes to next question
    Only answer yes if you know for sure you
    have very old web scripts which need mysql
    legacy extension re-added. Otherwise answer
    no which is recommended for best stability
    
    Re-add legacy mysql extension to PHP 7+ [y/n] ? n
    

    Code (Text):
    php -v
    PHP 7.3.3 (cli) (built: Mar  5 2019 23:42:40) ( NTS )
    Copyright (c) 1997-2018 The PHP Group
    Zend Engine v3.3.3, Copyright (c) 1998-2018 Zend Technologies
        with Zend OPcache v7.3.3, Copyright (c) 1999-2018, by Zend Technologies
    

    PHP 7.3.3 with Argon2 hash algorithm support and libsodium PHP extension
    Code (Text):
    php -r 'print_r(get_defined_constants());' | grep -i argon
        [PASSWORD_ARGON2I] => 2
        [PASSWORD_ARGON2ID] => 3
        [PASSWORD_ARGON2_DEFAULT_MEMORY_COST] => 1024
        [PASSWORD_ARGON2_DEFAULT_TIME_COST] => 2
        [PASSWORD_ARGON2_DEFAULT_THREADS] => 2
        [SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13] => 1
        [SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13] => 2
        [SODIUM_CRYPTO_PWHASH_STRPREFIX] => $argon2id$
    

    Code (Text):
    php --ri sodium
    
    sodium
    
    sodium support => enabled
    libsodium headers version => 1.0.17
    libsodium library version => 1.0.17
    
     
    Last edited: Mar 7, 2019
Thread Status:
Not open for further replies.