Version 1.657

Released: 2023-11-30

• Support for old PHP versions on modern systems new
• Support for PHP 8.3 custombuildnew
• Random password generator upgrade update
• Automatic old scripts and templates cleanup update
• Admin SSL improved Valid column update
• Software version changes custombuildupdate
• PHP compile-time hardening custombuildupdate
• More removal scripts for old libraries in /usr/local custombuildupdate
• "No options" message within user level backup restoration evolutionupdate
• Improved filter form on the Brute Force Monitor page evolutionupdate
• Minimum width for a pinnable Refreshed layout sidebar evolutionupdate
• Translate custom widgets evolutionfix
• Updates page fixes evolutionfix
• Non-existent package navigation evolutionfix
• Validation issues evolutionfix
• Disabled menus evolutionfix
• Date formats evolutionfix
• NS and PTR records evolutionfix
• Nginx Unit application restart message evolutionfix
• Modsecurity unicoded names evolutionfix
• Breadcrumbs on smaller browser width evolutionfix
• ClamAV integration on Debian 12 systems fix
• Random password generator options in directadmin.conf removal
• Removed support for second PHP version removal

Support for old PHP versions on modern systems new

Modern systems (Debian 12 and RHEL 9 based systems) using openssl >= 3.0 and icu >= 70 libraries were not able to use PHP versions older than PHP 8.1.

This release adds a series of patches for older PHP versions to make them compatible with modern systems. This change allows using any PHP version (from 5.6 to 8.2) on Debian 12 and RHEL 9 systems.

Support for PHP 8.3 custombuildnew

CustomBuild is updated to support building PHP 8.3 on all supported systems.

Random password generator upgrade update

Automatic random password generator is upgraded to create stronger passwords and use simpler configuration (no configuration at all).

Key changes:

• Increased password length. Auto generated passwords will always be 20 symbols in length.
• Smaller password symbol set. Auto generated passwords will only use letters and numbers (and avoid similar looking symbols like ilI1 and oO0).
• New password generator will use a reliable entropy source from kernel, instead of user space time based PRNG.
• New generator generates passwords using 115 bits of entropy, old generator used to generate passwords having from 46 to 51 bits of entropy based on configuration.

Following configuration options in directadmin.conf are removed:

• special_characters_in_random_passwords, it is always false for new generator.
• random_password_length, it is always 20 for new generator.
• random_password_length_max, it is always 20 for new generator.
• ambiguous_characters_in_random_passwords, it is always false for new generator.

Automatic old scripts and templates cleanup update

After updating DirectAdmin will perform a cleanup of the following directories:

• /usr/local/directadmin/scripts
• /usr/local/directadmin/data/templates

Cleanup operation will remove all files not used by DirectAdmin.

Admin SSL improved Valid column update

The Valid column in /admin/ssl previously only represented if a domain exists in the host list of a certificate. This was confusing and incomplete. This change will swap that old behaviour with host_in_cert=yes|no in the cache, but will now set valid=no in the certificate_cache.json if host_in_cert=no or signed=self-signed. When displaying the certificates /admin/ssl, the value is again set valid=no dynamically in the output if the expiry of the certificate has passed.

Software version changes custombuildupdate

• PHP 8.1 updated from 8.1.25 to 8.1.26
• PHP 8.2 updated from 8.2.12 to 8.2.13
• PHP 8.3 added 8.3.0
• MariaDB 10.4 updated from 10.4.31 to 10.4.32
• MariaDB 10.5 updated from 10.5.22 to 10.5.23
• MariaDB 10.6 updated from 10.6.15 to 10.6.16
• MariaDB 10.11 updated from 10.11.5 to 10.11.6

PHP compile-time hardening custombuildupdate

Compile script for all PHP versions are updated to enable compile-time binary hardening features:

• Debug symbols will be stripped, this reduces final PHP binaries 3-4 times, making them faster to load and use less memory when loaded.
• Binaries will have stack canary protections. This makes it harder to convert a stack overflow bug to an exploit.
• Common libc functions are fortified to check buffer bounds.
• Binaries will have full RELRO support by marking PLT and GOT memory area as read only. This makes it harder to convert out-of-bounds writes to an exploit.
• Produce Position Independent Code. This allows the kernel to do ASLR, and makes exploits less deterministic.

More removal scripts for old libraries in /usr/local custombuildupdate

CustomBuild is extended to detect and remove old copies of lua, libnghttp2, libztd libraries in /usr/local.

"No options" message within user level backup restoration evolutionupdate

In case when a backup file is malformed or empty, the user level backup restoration page didn't provide any options nor indication of why no options were given. With this change a message will be shown informing the user that there is nothing to restore from the selected backup file.

Improved filter form on the Brute Force Monitor page evolutionupdate

The filter form on the Brute Force Monitor page was a one-liner with several components, making it sometimes pretty cramped on smaller browser widths. It was improved to look like any other Evolution form, making it more user-friendly.

Minimum width for a pinnable Refreshed layout sidebar evolutionupdate

The minimum width was introduced for when the Refreshed layout sidebar is pinned to avoid cramped page content.

Translate custom widgets evolutionfix

Custom widgets are able to control the language their titles and descriptions are written in. This fix makes it so that whenever language is changed via the language dropdown button, widget data is fetched again so that language changes are immediately apparent.

Updates page fixes evolutionfix

There were several issues with the updates page that are now fixed:

• resets "Restarting Now..." button to initial state after backend finishes restarting
• disabled "update" button when an update is in progress
• does not allow user to click "update directadmin" or "restart directadmin" if one or the other was already clicked. This is because either one will restart directadmin and there's no good reason to allow either one to be pressed again.
• success notification for when update channel is changed has been replaced with "Update channel changed" instead of previous "Channel update scheduled". This is because setting update channel does not actually schedule an update.

Non-existent package navigation evolutionfix

Packages such as "custom" (or those that user was created with but later removed) cause errors when trying to navigate to them from reseller's "My Users" page. With this change, if a package doesn't exist, navigation will redirect to the modification page of the user whose package was clicked on.

Validation issues evolutionfix

A couple of minor fixes:

• it is no longer possible to "Assign" an existing database user when no user is selected.
• required field validation has been removed for temporary bandwidth increase. If no input is given, value will default to 0 instead.

Disabled menus evolutionfix

After disabling a menu entry within the "Customize Evolution Skin" page, disabled menus were still accessible by:

• finding the page through "related pages"
• search bar (on refreshed or icons grid layouts)
• passing the url directly into the browser

With this fix, it is now impossible to access disabled pages in any way.

Date formats evolutionfix

Previously date format changes (accessed using the sidebar or within the "Customize Evolution Skin" page) used to go through even if validation was failing. Now the format will save on input only until it validation errors start appearing.

NS and PTR records evolutionfix

Users could attempt adding NS and PTR records even if dns_ns=0 and dns_ptr=1 were set to 0 within directadmin.conf. Regular users were also able to to see these records in their records table.

With this change:

• no type of user can add "NS" records when dns_ns=0
• no type of user can add "PTR" records when dns_ptr=0
• regular users no longer see NS records when dns_ns=1
• regular users no longer see PTR records when dns_ptr=1

Nginx Unit application restart message evolutionfix

Restarting an application in nginx unit used to always provide a success notification. Users will receive the same success notification if restart was successful, but on failure backend's response will be shown instead.

Modsecurity unicoded names evolutionfix

Domain and subdomain names weren't properly displayed within modsecurity pages.

This change:

• displays domain within title in unicode
• displays subdomain within title in unicode
• displays subdomain dropdown in unicode

Breadcrumbs on smaller browser width evolutionfix

Breadcrumbs on smaller browser widths weren't word-wrapped correctly.

ClamAV integration on Debian 12 systems fix

Debain 12 systems provides a newer ClamAV version which changed its behaviour when listening the socket is being passed via systemd instead of being opened by the daemon itself. If listening sockets are being passed from systemd ClamAV will ignore socket listen configuration in the configuration file.

With this change Debian 12 systems would only start ClamAV listening on local UNIX socket and no TCP socket listener even if it is configured in the /etc/clamav/clamd.conf file. Without listening on TCP socket integration with exim and proftpd does not work correctly.

CustomBuild is updated to detect such systems and extend ClamAV systemd configuration to enable TCP socket support in systemd.

Random password generator options in directadmin.conf removal

New random password generator no longer needs the following options:

• special_characters_in_random_passwords
• random_password_length
• random_password_length_max
• ambiguous_characters_in_random_passwords

Removed support for second PHP version removal

Single domain or subdomain used to support more than one PHP version. To execute PHP script with secondary version file had to use different extension.

Files with *.php extension used to be executed by primary PHP version, if secondary PHP version was 7.1 files with suffix *.php71 would get executed by secondary PHP.

This feature was very fragile because changing the secondary PHP version required renaming the files accordingly. If files were not renamed to match configured secondary PHP version then PHP scripts would be exposed by the web-server as plain-text files exposing source code publicly.

This feature is completely removed with the following changes:

• Configuration option php_version_selector=2 in directadmin.conf no longer enables the secondary PHP selector. It is treated the same as php_version_selector=1.
• Configured secondary PHP versions in domain config or subdomain config (field php2_select) are ignored.
• Web server configuration templates no longer use tokens PHP2_RELEASE, HAVE_PHP2_FPM, HAVE_PHP2_FCGI, HAVE_PHP2_CLI, HAVE_PHP2_SUPHP.
• Web server configuration templates are updated to block access to PHP files with extensions .php53, .php54, ..., php82. This ensures that we will not leak PHP sources for anyone who was using this feature.
• A new maintenance task is added to allow quickly check if any of the users on the server has any files with the blocked suffixes.

For anyone who was using this feature we recommend creating different sub-domain for applications that require custom PHP version. Different subdomains can use different PHP versions.