Virtualmin virtual-server module version 3.97-2 [SECURITY]

Howdy all,

We’ve rolled out version 3.97-2 (and 3.97) of the virtual-server module. This release includes some refinements to the security changes made in 3.96; some of those changes could have caused some scripts installed outside of Virtualmin to stop working (those that use symlinks to files owned by other users). Because this is a potentially serious security problem, the FollowSymlinks feature of Apache is disabled, by default…Virtualmin now configures SymlinksIfOwnerMatch, instead, which prevents exploitation.

3.97 and 3.97-2 will prompt the root user on next login, to find out what the user wants to do about the change. You’ll be given the option not to make this switch; but we strongly discourage choosing this option as anything other than a very brief stopgap measure until you can modify your applications that rely on this feature. Note that scripts installed using Virtualmin’s Script Installers feature will, generally, have no problems with this change. This new version also has the ability to modify some .htaccess files provided by some applications (Drupal is one popular example) to fix them to work with the new option; Virtualmin will search for those .htaccess file mentions of FollowSymLinks and alter them to SymlinksIfOwnerMatch. This should work for most situations with locally installed scripts, but scripts installed into a shared common location will break without alteration of the configuration.

Because this change is related to potentially serious security issues (an exploit in a web application installed on your system could lead to a more serious security issue), upgrading to this new version and choosing to update your Apache options to use SymlinksIfOwnerMatch as soon as possible is strongly recommended.

There have been several discussions about this change, and its implications here in the forums, and we will be happy to answer questions about how to deal with this change. Again, scripts installed using the Virtualmin Install Scripts feature will not be impacted by this change; it mostly affects script installed using apt-get or yum into a central location and shared across many users via symlinks within the users home directory. There are ways to hardcode such installation configuration in httpd.conf (without using symlinks), and this would be recommended, if using Virtualmin Install Scripts is not possible in your case.

Changes since 3.96:

  • Updated the MediaWiki script installer to versions 1.20.2 and 1.19.3, bbPress to 1.2, TextPattern to 4.5.4, and ZenPhoto to
  • If running Virtualmin in SSL mode with a certificate of less than 2048 bits, a warning is now displayed on the system information page prompting the admin to generate or request a new cert.
  • Virtualmin will now prompt the root user after logging in if any virtual servers with unsafe symlink or mod_php settings are found. Previous versions applied fixes for these security issues automatically, which broke some domains.
  • Backups can now be prevented from updating the incremental state, so that ad-hoc backups can be run without interfering with scheduled incremental backups.

As always, if you run into any bugs or issues, please let us know.