Hestia 1.8.10 Security release

eris · October 24, 2023, 9:50am

We’re happy to announce that Hestia Control Panel v1.8.10 is now available to download.

This release contains 2 security patches and multiple other bug fixes

Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin or other users (CVE will follow)
Reduce Nginx keepalive_requests to 1000 (Nginx default) to limit risks of CVE-2023-44487

We strongly ask you to update Hestia to the latest version! (1.8.9)

We also suggest disabling the php functions by default for extra security if it is not done yet run the file that you can find in:

github.com

hestiacp/hestiacp/blob/main/install/upgrade/manual/secure_php.sh

#!/bin/bash
# info: Secure websites FPM / CLI against basic executions if you use such functions remove them form the list

sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/fpm/php.ini

sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/cli/php.ini

Best regards,

If you have already updated to 1.8.9 please run!