newSupport for old PHP versions on modern systems
Modern systems (Debian 12 and RHEL 9 based systems) using
openssl >= 3.0 and
icu >= 70 libraries was not able to use PHP versions older than PHP 8.1.
This release adds a series of patches for older PHP versions to make them compatible with modern systems. This change allows using any PHP version (from 5.6 to 8.2) on Debian 12 and RHEL 9 systems.
custombuild newSupport for PHP 8.3
CustomBuild is updated to support building PHP 8.3 on all supported systems.
improvedRandom password generator upgrade
Automatic random password generator is upgraded to create stronger passwords and use simpler configuration (no configuration at all).
- Increased password length. Auto generated passwords will always be 20 symbols in length.
- Smaller password symbol set. Auto generated passwords will only use letters and numbers (and avoid similar looking symbols like
- New password generator will use reliable entropy source from kernel, instead of user space time based PRNG.
- New generator generates passwords using 115 bits of entropy, old generator used to generate passwords having from 46 to 51 bits of entropy based on configuration.
Following configuration options in
directadmin.conf are removed:
special_characters_in_random_passwords, it is always false for new generator.
random_password_length, it is always
20for new generator.
random_password_length_max, it is always
20for new generator.
ambiguous_characters_in_random_passwords, it is always false for new generator.
improvedAutomatic old scripts and templates cleanup
After updating DirectAdmin will perform a cleanup of the following directories:
Cleanup operation will remove all files not used by DirectAdmin.
Admin SSL improved
Valid column improved
Valid column in
/admin/ssl previously only represented if a domain exists in the host list of a certificate. This was confusing and incomplete. This change will swap that old behaviour with
host_in_cert=yes|no in the cache, but will now set
valid=no in the certificate_cache.json if
signed=self-signed. When displaying the certificates
/admin/ssl, the value is again set
valid=no dynamically in the output if the expiry of the certificate has passed.
custombuild improvedSoftware version changes
PHP 8.1updated from
PHP 8.2updated from
MariaDB 10.4updated from
MariaDB 10.5updated from
MariaDB 10.6updated from
MariaDB 10.11updated from
custombuild improvedPHP compile-time hardening
Compile script for all PHP versions are updated to enable compile-time binary hardening features:
- Debug symbols will be stripped, this reduces final PHP binaries 3-4 times, making them faster to load and use less memory when loaded.
- Binaries will have stack canary protections. This makes it harder convert a stack overflow bug to an exploit.
- Common libc functions are fortified to check buffer bounds.
- Binaries will have full RELRO support by marking PLT and GOT memory area as read only. This makes it harder to convert out-of-bounds write to an exploit.
- Produce Position Independent Code. This allows kernel to do ASLR, and makes exploits less deterministic.
More removal scripts for old libraries in
/usr/local custombuild improved
CustomBuild is extended to detect and remove old copies of
libztd libraries in
evolution improved"No options" message within user level backup restoration
In cases where a backup is incorrectly archived (or empty), the user level backup restoration page didn't provide any options nor indication of why no options were given. With this change a message will be shown informing user that there is nothing to restore from the selected backup file.
evolution improvedImproved filter form on the Brute Force Monitor page
The filter form on the Brute Force Monitor page was a one-liner with several components, making it sometimes pretty cramped on smaller browser widths. It was improved to look like any other Evolution form, making it more user-friendly.
evolution improvedMinimum width for a pinnable Refreshed layout sidebar
The minimum width was introduced for when the Refreshed layout sidebar is pinned to avoid cramped page content.
evolution fixedTranslate custom widgets
Custom widgets are able to control the language their titles and descriptions are written in. This fix makes it so that whenever language is changed via the language dropdown button, widget data is fetched again so that language changes are immediately apparent.
evolution fixedUpdates page fixes
There were several issues with the updates page that are now fixed:
- resets "Restarting Now..." button to initial state after backend finishes restarting
- disabled "update" button when an update is in progress
- does not allow user to click "update directadmin" or "restart directadmin" if one or the other was already clicked. This is because either one will restart directadmin and there's no good reason to allow either one to be pressed again.
- success notification for when update channel is changed has been replaced with "Update channel changed" instead of previous "Channel update scheduled". This is because setting update channel does not actually schedule an update.
evolution fixedNon-existent package navigation
Packages such as "custom" (or those that user was created with but later removed) cause errors when trying to navigate to them from reseller's "My Users" page. With this change, if a package doesn't exist, navigation will redirect to the modification page of the user whose package was clicked on.
evolution fixedValidation issues
A couple of minor fixes:
- it is no longer possible to "Assign" an existing database user when no user is selected.
- required field validation has been removed for temporary bandwidth increase. If no input is given, value will default to 0 instead.
evolution fixedDisabled menus
After disabling a menu entry within the "Customize Evolution Skin" page, disabled menus were still accessible by:
- finding the page through "related pages"
- search bar (on refreshed or icons grid layouts)
- passing the url directly into the browser
With this fix, it is now impossible to access disabled pages in any way.
evolution fixedDate formats
Previously date format changes (accessed using the sidebar or within the "Customize Evolution Skin" page) used to go through even if validation was failing. Now the format will save on input only until it validation errors start appearing.
evolution fixedNS and PTR records
Users could attempt adding NS and PTR records even if
dns_ptr=1 were set to 0 within
directadmin.conf. Regular users were also able to to see these records in their records table.
With this change:
- no type of user can add "NS" records when
- no type of user can add "PTR" records when
- regular users no longer see NS records when
- regular users no longer see PTR records when
evolution fixedNginx Unit application restart message
Restarting an application in nginx unit used to always provide a success notification. Users will receive the same success notification if restart was successful, but on failure backend's response will be shown instead.
evolution fixedModsecurity unicoded names
Domain and subdomain names weren't properly displayed within modsecurity pages.
- displays domain within title in unicode
- displays subdomain within title in unicode
- displays subdomain dropdown in unicode
evolution fixedBreadcrumbs on smaller browser width
Breadcrumbs on smaller browser widths weren't word-wrapped correctly.
fixedClamAV integration on Debian 12 systems
Debain 12 systems provides newer ClamAV version which changed its behaviour when listening socket is being passed via systemd instead of being opened by the daemon itself. If listening sockets are being passed from systemd ClamAV will ignore socket listen configuration in the configuration file.
With this change Debian 12 systems would only start ClamAV listening on local UNIX socket and no TCP socket listener even if it is configured in the
/etc/clamav/clamd.conf file. Without listening on TCP socket integration with
proftpd does not work correctly.
CustomBuild is updated to detect such issue and extend ClamAV systemd configuration to enable TCP socket support in systemd.
Random password generator options in
New random password generator no longer needs the following options:
removedRemoved support for second PHP version
Single domain or sub-domain used to support more than one PHP version. To execute PHP script with secondary version file had to use different extension.
*.php extension used to be executed by primary PHP version, if secondary PHP version was 7.1 files with suffix
*.php71 would get executed by secondary PHP.
This feature was very fragile because changing the secondary PHP version required renaming the files accordingly. If files were not renamed to match configured secondary PHP version then PHP scripts would be exposed by the web-server as plain-text files exposing source code publicly.
This feature is completely removed with the following changes:
- Configuration option
directadmin.confno longer enable secondary PHP selector. It is treated the same as
- Configured secondary PHP versions in domain config or sub-domain config (field
php2_select) is ignored.
- Web server configuration templates no longer use tokens
- Web server configuration templates are updated to block access to PHP files with extensions
php82. This ensures that we will not leak PHP sources for anyone who was using this feature.
- A new maintenance task is added to allow quickly check if any of the users on the server has any files with the blocked suffixes.
For anyone who was using this feature we recommend creating different sub-domain for applications that require custom PHP version. Different sub-domains can use different PHP versions.