[Resolved] Is Litespeed vulnerable?

[bettinz]

A new exploit was found on OpenSSL:
http://www.openssl.org/news/secadv_20140605.txt

Litespeed appear vulnerable in 4.2.12 with this test:
http://ccsbug.exposed

Can you confirm?

(Apache appear not vulnerable after CentOS package update).

 

[cornish]

Hi yes it does say vulnerable, just tested all ours with Litespeed on,

But ones without are fine.

 

[NiteWave]

please force-reinstall 4.2.12 to latest and test again.
4.2.12 already build with OpenSSL 1.0.1h, and should be ok.

 

[bettinz]

Yes, I can confirm now it's not vulnerable. Sorry for the mistake

 

[cornish]

And me mine are still 4.2.11 not had any notification of an update, how do i update to version 4.2.12

 

[bettinz]

4.2.12 is still in "beta" I think, but it seem stable for production for me. Run this:

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.12

and you'll update to 4.2.12

 

[cornish]

Do you know when it will be available to update, don't really want to update if its not full release just incase of problems.

 

[bettinz]

I don't work for Litespeed and I don't know, I'm sorry wait a reply from someone at Litespeed

 

[cornish]

ok thanks

 

[NiteWave]

Hi, 4.2.12 is quite stable now. it's pretty safe to upgrade to 4.2.12 now

and it's easy to switch back to precvious version --- when updage, previous versions still there.
just one click to switch between versions:
lsws webadmin -> Actions -> Version Manager

 

[cornish]

And do i upgrade like the post above said ?

 

[NiteWave]

yes. that's the command line method.
when 4.2.12 is officially released, you can upgrade at lsws web admin "Version Manager" as well.
command line method is more flexible and GUI mode is easier to use.

 

[cornish]

Thanks when will it be released ?

 

[NiteWave]

maybe tomorrow (Monday at EDT time) if no unexpected bug report (4.2.12 are running on some production servers for a while)

 

[cornish]

Ok thanks will wait a few days,

 

[3245]

Hello,
Thank you for update, http://www.webhostingtalk.com/showthread.php?p=9139454

it is possible let us know which files are affected (upgraded) after update exactly??

it is fine for Administrator's for check if anything is wrong.

Please tell us directory and file exactly.

 

[NiteWave]

Dear 3245,

it's the main litespeed binary, e.g., lshttpd.4.2.12
nulled lshttpd (all has been found before version 4.0.1) has no way update unless the nulled binary(e.g., lshttpd.4.0.1) is replaced.

 

[Michael]

For those of you that were waiting, 4.2.12 has been officially released now. The easiest way to upgrade is to use the lsup script:

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.12