Important product security update: Virtuozzo PowerPanel RTM Hotfix 1 (7.0.1-346)

Issue date: 2017-03-24

Applies to: Virtuozzo PowerPanel

Virtuozzo Advisory ID: VZA-2017-022

1. Overview

The new packages for Virtuozzo PowerPanel introducing a security fix and usability bug fixes.

[Important] Incorrect checking of locked VM accounts in Virtuozzo SDK allowed one to use any password to log in to Virtuozzo PowerPanel in the legacy mode for a VM with such a locked account. Other login methods, e.g., via SSH, were not affected. (PP-312)

The ‘Change Password’ button did not work in the legacy mode. (PP-370, PP-311)
Virtuozzo PowerPanel’s config file for Apache HTTP Server was not updated by the installer. (PP-366)
The legacy mode login screen URL changed to ‘/login/ve’. After visiting the old URL, you will be redirected to the new one. (PP-341)
A number of improvements for VNC console. (PP-335, PP-283, PP-191, PP-186, PP-156)
Controller could be installed even if date and time had not been synchronized across nodes. (PP-309)
The process of logging in to Virtuozzo PowerPanel was not indicated in any way. (PP-306)
Emails and domain names could not be used as logins. (PP-299)
Installation prerequisites were checked after prompt for the Keystone admin password. (PP-287)
The ‘Send Key Combination’ button did not show the list of key combinations. (PP-187)

To install this update:

Run ‘yum update’ on the controller node.
Update Apache configuration:
- If you did not change ‘/etc/httpd/conf.d/pp-ui.conf’, delete it, then rename ‘/etc/httpd/conf.d/pp-ui.conf.rpmnew’ to ‘/etc/httpd/conf.d/pp-ui.conf’.
- Or if you changed ‘/etc/httpd/conf.d/pp-ui.conf’, merge ‘/etc/httpd/conf.d/pp-ui.conf.rpmnew’ into ‘/etc/httpd/conf.d/pp-ui.conf’ to update it while keeping your changes.
Restart Apache on the controller node with ‘systemctl restart httpd’.
Propagate updates to compute nodes by running ‘vzapi-installer computes’ from the controller node.

The JSON file with the list of new and updated packages is available at JSON file.