Announcing:
LiteSpeed Plugin for cPanel v2.4.9 and LiteSpeed Plugin for WHM v5.3.3.0
In this update: Security hardening, bug fixes, and more!
cPanel RELEASE LOG:
[Security] Further harden outbound HTTP request validation.
[Security] Harden ACME challenge directory handling.
[Security] Harden temporary directory handling in backup/restore operations.
[Security] Improve cache-manager JavaScript message output encoding.
[Bug Fix] "Redis support is only available in caged environments" message no longer appears when inside a real cage with root-owned plugin files.
[Bug Fix] Enabling Redis no longer shows a benign service-manager message as errors.
WHM RELEASE LOG:
[Security] Remove WHM per-session security token from all remaining GET query string render paths.
[Security] Additional XSS hardening in LiteSpeed Containers Package Manager template, shared message template, and mass cache operation views.
[Security] Add same-origin Referer policy to plugin page header.
[Security] Harden suEXEC configuration save input validation.
[Security] Harden LiteSpeed Containers statistics Prometheus URL handling.
[Security] Harden server status file reading.
[Security] Tighten permissions on per-user Redis runtime directories.
[Security] Harden Redis transfer/restore account-data handling.
[Security] Additional hardening of privileged command inputs, LiteSpeed home path validation, and recursive directory cleanup logic.
[Security] Rework in-plugin CSRF guard to default-deny for all state-changing requests.
[Security] Improve output encoding in Redis user/package management templates and JavaScript message rendering.
[Security] Harden Redis helper script loading and execution.
[Security] Additional integrity checks for privileged lspkgctl execution.
[Improvement] Remove 1024 MB upper bound on Redis sizes.
[Bug Fix] Redis package setup no longer writes to the wrong cage directory on LiteSpeed Containers hosts.
[Bug Fix] Clarify Redis enable reporting to prevent successful service enable from reporting as an error when optional cache auto-configuration cannot complete.
[Bug Fix] Redis package action buttons no longer submit the form when cancelling the confirmation prompt.
[Bug Fix] LiteSpeed Containers Stats Manager cached Prometheus settings are now replayed only once and rejected cached values are cleared.
[Bug Fix] Tighten LiteSpeed Containers Stats Manager Prometheus host validation to reduce LiteSpeed Containers curl failures.
[Bug Fix] Correct LiteSpeed Containers Stats Manager refresh interval.
[Bug Fix] Correct navigation issues by migrating the main interface to AJAX navigation.
[Bug Fix] Address multiple causes of the WHM plugin spinner hanging indefinitely.
[Bug Fix] TimezoneDB extension build/update results page no longer fails to show its title and success status.
https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log
If you have difficulty upgrading via the New Version banner, please run the plugin installation script to upgrade just this one time.
Cheers!
LiteSpeed Plugin for cPanel v2.4.9 and LiteSpeed Plugin for WHM v5.3.3.0
In this update: Security hardening, bug fixes, and more!
cPanel RELEASE LOG:
[Security] Further harden outbound HTTP request validation.
[Security] Harden ACME challenge directory handling.
[Security] Harden temporary directory handling in backup/restore operations.
[Security] Improve cache-manager JavaScript message output encoding.
[Bug Fix] "Redis support is only available in caged environments" message no longer appears when inside a real cage with root-owned plugin files.
[Bug Fix] Enabling Redis no longer shows a benign service-manager message as errors.
WHM RELEASE LOG:
[Security] Remove WHM per-session security token from all remaining GET query string render paths.
[Security] Additional XSS hardening in LiteSpeed Containers Package Manager template, shared message template, and mass cache operation views.
[Security] Add same-origin Referer policy to plugin page header.
[Security] Harden suEXEC configuration save input validation.
[Security] Harden LiteSpeed Containers statistics Prometheus URL handling.
[Security] Harden server status file reading.
[Security] Tighten permissions on per-user Redis runtime directories.
[Security] Harden Redis transfer/restore account-data handling.
[Security] Additional hardening of privileged command inputs, LiteSpeed home path validation, and recursive directory cleanup logic.
[Security] Rework in-plugin CSRF guard to default-deny for all state-changing requests.
[Security] Improve output encoding in Redis user/package management templates and JavaScript message rendering.
[Security] Harden Redis helper script loading and execution.
[Security] Additional integrity checks for privileged lspkgctl execution.
[Improvement] Remove 1024 MB upper bound on Redis sizes.
[Bug Fix] Redis package setup no longer writes to the wrong cage directory on LiteSpeed Containers hosts.
[Bug Fix] Clarify Redis enable reporting to prevent successful service enable from reporting as an error when optional cache auto-configuration cannot complete.
[Bug Fix] Redis package action buttons no longer submit the form when cancelling the confirmation prompt.
[Bug Fix] LiteSpeed Containers Stats Manager cached Prometheus settings are now replayed only once and rejected cached values are cleared.
[Bug Fix] Tighten LiteSpeed Containers Stats Manager Prometheus host validation to reduce LiteSpeed Containers curl failures.
[Bug Fix] Correct LiteSpeed Containers Stats Manager refresh interval.
[Bug Fix] Correct navigation issues by migrating the main interface to AJAX navigation.
[Bug Fix] Address multiple causes of the WHM plugin spinner hanging indefinitely.
[Bug Fix] TimezoneDB extension build/update results page no longer fails to show its title and success status.
https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log
If you have difficulty upgrading via the New Version banner, please run the plugin installation script to upgrade just this one time.
Cheers!