Important product security update: Virtuozzo PowerPanel RTM Hotfix 1 (7.0.1-346)

Issue date: 2017-03-24

Applies to: Virtuozzo PowerPanel

Virtuozzo Advisory ID: VZA-2017-022

1. Overview

The new packages for Virtuozzo PowerPanel introducing a security fix and usability bug fixes.

2. Security Fixes

  • [Important] Incorrect checking of locked VM accounts in Virtuozzo SDK allowed one to use any password to log in to Virtuozzo PowerPanel in the legacy mode for a VM with such a locked account. Other login methods, e.g., via SSH, were not affected. (PP-312)

3. Bug Fixes

  • The ‘Change Password’ button did not work in the legacy mode. (PP-370, PP-311)

  • Virtuozzo PowerPanel’s config file for Apache HTTP Server was not updated by the installer. (PP-366)

  • The legacy mode login screen URL changed to ‘/login/ve’. After visiting the old URL, you will be redirected to the new one. (PP-341)

  • A number of improvements for VNC console. (PP-335, PP-283, PP-191, PP-186, PP-156)

  • Controller could be installed even if date and time had not been synchronized across nodes. (PP-309)

  • The process of logging in to Virtuozzo PowerPanel was not indicated in any way. (PP-306)

  • Emails and domain names could not be used as logins. (PP-299)

  • Installation prerequisites were checked after prompt for the Keystone admin password. (PP-287)

  • The ‘Send Key Combination’ button did not show the list of key combinations. (PP-187)

4. Installing the Update

To install this update:

  1. Run ‘yum update’ on the controller node.

  2. Update Apache configuration:

    • If you did not change ‘/etc/httpd/conf.d/pp-ui.conf’, delete it, then rename ‘/etc/httpd/conf.d/pp-ui.conf.rpmnew’ to ‘/etc/httpd/conf.d/pp-ui.conf’.

    • Or if you changed ‘/etc/httpd/conf.d/pp-ui.conf’, merge ‘/etc/httpd/conf.d/pp-ui.conf.rpmnew’ into ‘/etc/httpd/conf.d/pp-ui.conf’ to update it while keeping your changes.

  3. Restart Apache on the controller node with ‘systemctl restart httpd’.

  4. Propagate updates to compute nodes by running ‘vzapi-installer computes’ from the controller node.

The JSON file with the list of new and updated packages is available at