Article ID: 8029, created on Feb 2, 2010, last review on Aug 12, 2014

  • Applies to:
  • H-Sphere 3.3

Symptoms

PCI incompliance reported.

Cause

PHP5 version is too old (5.2.10 or less) and contains known vulnerabilities.
phpMyAdmin version is too old (2.11.9.5 or less) and contains known vulnerabilities.

Resolution

Update your H-Sphere servers with the newer versions of PHP5 and phpMyAdmin packaged by Parallels.

Note: For some time, these packages are available only for private updates. Use the instructions below to perform a private update:

 

1. Decide what physical servers you will update considering the following:

·         phpMyAdmin is installed on MySQL servers.

·         PHP5 can be installed on Web servers, and is installed on the servers with phpMyAdmin.
To ensure that PHP5 is installed on a particular hardware node, log in to it over SSH and issue the command:

on Linux servers:

# rpm -qa | grep hsphere-php5

on FreeBSD servers:

# pkg_info | grep hsphere-php5

One or more lines of relevant output means that PHP5 is installed.

·         You might want to update only a few servers at first and test using them in production, and update the rest after testing is successful.

 

2. (step is necessary only if you don't have profile with the same settings) Create a new physical server profile, as described at http://hsphere.parallels.com/docs/3.3/admin/html/pserver_profiles.html

When creating the profile,

·         Select Unix as a base for the profile.

·         Select the Private update (for testing purpose) (-P) checkbox.

You may leave the other settings unchanged.

 

3. Assign the created (or existing) “private” physical server profile to the servers you want to update as described at http://hsphere.parallels.com/docs/3.3/admin/html/pserver_profiles.html.

 

4. Update the servers as described at http://hsphere.parallels.com/docs/3.3/admin/html/updating_box_from_cp.html

 

5. When the update is finished, verify that the servers were updated successfully:

5.1 At the E.Manager -> Update -> Update Boxes screen, for each updated server, click the server name and read the updater log. Check the new versions of the hsphere-php5* and hsphere-phpmyadmin packages, and the overall update status at the end of the log.

5.2 (optional) Additionally you may log in to the updated server(s) over SSH and issue the following command:

On Linux servers:

# rpm -qa | grep hsphere-php

On FreeBSD servers:

# pkg_info | grep hsphere-php

The output should contain the new versions only:

On Linux servers:

5.2.12-1 for hsphere-php5* packages, and 2.11.10-1 for hsphere-phpmyadmin package

On FreeBSD servers:

5.2.12_1 for hsphere-php5* packages, and 2.11.10_1 for hsphere-phpmyadmin package

Additional information

This article applies to H-Sphere 3.3 Patch 1.

The private update described in this article will additionally install the new hsphere-php-accelerators package (version is 1-5 on Linux, 1_5 on FreeBSD) that is necessary for eAccelerator to work. If you have already performed the private update in accordance with the article and have not seen this notice, please consider performing one more private update on the same servers. For more information, refer to KB #8196.


f213b9fa8759d57bee5d547445806fe7 6311ae17c1ee52b36e68aaf4ad066387 3fce07d43dd909dcf7cad8a0e8c377eb

Email subscription for changes to this article
Save as PDF