Virtualmin virtual-server module version 3.96 released [SECURITY]

Howdy all,

I’ve just rolled out version 3.96 of the Virtualmin virtual-server module to all repos.

This is a security release, which includes fixes for three security issues (two minor, one a potentially moderately serious file exposure bug, if you have mod_php enabled). Thus, everyone should update immediately.

Changes since version 3.95:

  • Updated the Typo3 script installer to version 4.6.15, CMS made simple to 1.11.3, Drupal to 7.17, PiWik to 1.9.2, FengOffice to 2.2.1, TikiWiki to 9.2, SugarCRM to 6.5.8, ZenPhoto to, Joomla to 3.0.2 and 2.5.8, phpMyFAQ to 2.7.9, RoundCube to 0.8.4, MediaWiki to 1.20.0, Z-push to 2.0.5, phpMyAdmin to 3.5.4, Mantis to 1.2.12, dotProject to 2.1.7, Moodle to 2.3.3, and Django to 1.4.2.
  • Added an option to delete old mail in users’ trash folder to the Spam and Virus Delivery page, similar to the existing option for deleting spam.
  • Server templates can now be restricted to a subset of server owners, rather than being granted to all or nothing.
  • The spamtrap and hamtrap email aliases now only accept mail from authenticated senders or the local system, to prevent poisoning of the spamassassin rules engine by attackers.
  • Account plans can now be changed for multiple virtual servers at once, on the Update Virtual Servers page.
  • For virtual servers using CGI or fcgid mode for executing PHP, mod_php mode is now forcibly disabled to prevent potential security issues. This is also done for all domains at installation time.
  • All existing virtual servers using the FollowSymLinks option will be converted to SymLinksifOwnerMatch, to protect against malicious links into other domain’s directories.

As always, if you run into any problems with this new version, please let us know in the ticket tracker.