Blogroll Category: Technology

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 196 posts from the category 'Technology.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Less Is More - Why The IPv6 Switch Is Missing

CloudFlare - Thu, 25/05/2017 - 18:30

At Cloudflare we believe in being good to the Internet and good to our customers. By moving on from the legacy world of IPv4-only to the modern-day world where IPv4 and IPv6 are treated equally, we believe we are doing exactly that.

"No matter what happens in life, be good to people. Being good to people is a wonderful legacy to leave behind." - Taylor Swift (whose website has been IPv6 enabled for many many years)

Starting today with free domains, IPv6 is no longer something you can toggle on and off, it’s always just on.

How we got here

Cloudflare has always been a gateway for visitors on IPv6 connections to access sites and applications hosted on legacy IPv4-only infrastructure. Connections to Cloudflare are terminated on either IP version and then proxied to the backend over whichever IP version the backend infrastructure can accept.

That means that a v6-only mobile phone (looking at you, T-Mobile users) can establish a clean path to any site or mobile app behind Cloudflare instead of doing an expensive 464XLAT protocol translation as part of the connection (shaving milliseconds and conserving very precious battery life).

That IPv6 gateway is set by a simple toggle that for a while now has been default-on. And to make up for the time lost before the toggle was default on, in August 2016 we went back retroactively and enabled IPv6 for those millions of domains that joined before IPv6 was the default. Over those next few months, we enabled IPv6 for nearly four million domains –– you can see Cloudflare’s dent in the IPv6 universe below –– and by the time we were done, 98.1% of all of our domains had IPv6 connectivity.

As an interim step, we added an extra feature –– when you turn off IPv6 in our dashboard, we remind you just how archaic we think that is.

With close to 100% IPv6 enablement, it no longer makes sense to offer an IPv6 toggle. Instead, Cloudflare is offering IPv6 always on, with no off-switch. We’re starting with free domains, and over time we’ll change the toggle on the rest of Cloudflare paid-plan domains.

The Future: How Cloudflare and OpenDNS are working together to make IPv6 even faster and more globally deployed

In November we published stats about the IPv6 usage we see on the Cloudflare network in an attempt to answer who and what is pushing IPv6. The top operating systems by percent IPv6 traffic are iOS, ChromeOS, and MacOS respectively. These operating systems push significantly more IPv6 traffic than their peers because they use a routing choice algorithm called Happy Eyeballs. Happy Eyeballs opportunistically chooses IPv6 when available by doing two DNS lookups –– one for an IPv6 address (this IPv6 address is stored in the DNS AAAA record - pronounced quad-A) and then one for the IPv4 address (stored in the DNS A record). Both DNS queries are flying over the Internet at the same time and the client chooses the address that comes back first. The client even gives IPv6 a few milliseconds head start (iOS and MacOS give IPv6 lookups a 25ms head start for example) so that IPv6 may be chosen more often. This works and has fueled some of IPv6’s growth. But it has fallen short of the goal of a 100% IPv6 world.

While there are perfectly good historical reasons why IPv6 and IPv4 addresses are stored in separate DNS types, today clients are IP version agnostic and it no longer makes sense for it to require two separate round trips to learn what addresses are available to fetch a resource from.

Alongside OpenDNS, we are testing a new idea - what if you could ask for all the addresses in just one DNS query?

With OpenDNS, we are prototyping and testing just that –– a new DNS metatype that returns all available addresses in one DNS answer –– A records and AAAA records in one response. (A metatype is a query type in DNS that end users can’t add into their DNS zone file, it’s assembled dynamically by the authoritative nameserver.)

What this means is that in the future if a client like an iPhone wants to access a mobile app that uses Cloudflare DNS or using another DNS provider that supports the spec, the iPhone DNS client would only need to do one DNS lookup to find where the app’s API server is located, cutting the number of necessary round trips in half.

This reduces the amount of bandwidth on the DNS system, and pre-populates global DNS caches with IPv6 addresses, making IPv6 lookups faster in the future, with the side benefit that Happy Eyeballs clients prefer IPv6 when they can get the address quickly, which increases the amount of IPv6 traffic that flows through the Internet.

We have the metaquery working in code with the reserved TYPE65535 querytype. You can ask a Cloudflare nameserver for TYPE65535 of any domain on Cloudflare and get back all available addresses for that name.

$ dig -t TYPE65535 +short 2400:cb00:2048:1::c629:d6a2 2400:cb00:2048:1::c629:d7a2 $

Did we mention Taylor Swift earlier?

$ dig -t TYPE65535 +short 2400:cb00:2048:1::6810:c33d 2400:cb00:2048:1::6810:c13d 2400:cb00:2048:1::6810:bf3d 2400:cb00:2048:1::6810:c23d 2400:cb00:2048:1::6810:c03d $

We believe in proving concepts in code and through the IETF standards process. We’re currently working on an experiment with OpenDNS and will translate our learnings to an Internet Draft we will submit to the IETF to become an RFC. We’re sure this is just the beginning to faster, better deployed IPv6.

Categories: Technology

Episode 130 on SharePoint developer updates with Vesa Juvonen and Daniel Kogan—Office 365 Developer Podcast

Microsoft Office - Thu, 25/05/2017 - 18:15

In Episode 130 of the Office 365 Developer Podcast, Andrew Coates talks with Vesa Juvonen and Daniel Kogan about SharePoint Developer announcements at Build 2017.

Download the podcast.

Weekly updates

Got questions or comments about the show? Join the O365 Dev Podcast on the Office 365 Technical Network. The podcast RSS is available on iTunes or search for it at “Office 365 Developer Podcast” or add directly with the RSS

About the guests

Vesa Juvonen is a senior program manager within SharePoint engineering. He works in the team responsible for the SharePoint customization model, including SharePoint Framework and developer community initiatives from engineering. Previously, he worked as a SharePoint CAT team member in CXP and as a principal consultant with Microsoft Services for eight years before movin the to product group. Vesa also leads the virtual team that created the SharePoint Patterns and Practice (PnP) initiative to help customers and partners to learn right ways to customize and extend SharePoint and Office 365.

Daniel Kogan is a principal group program manager responsible for the SharePoint developer platform and extensibility. As a 15-year veteran at Microsoft (joining by way of acquisition), Daniel has a leader in a number of critical areas of SharePoint and Office Server. In his 25+ years of tech leadership, Daniel holds a number of patents for his work and is the brain behind a number of popular features in SharePoint.


About the hosts

RIchard diZeregaRichard is a software engineer in Microsoft’s Developer Experience (DX) group, where he helps developers and software vendors maximize their use of Microsoft cloud services in Office 365 and Azure. Richard has spent a good portion of the last decade architecting Office-centric solutions, many that span Microsoft’s diverse technology portfolio. He is a passionate technology evangelist and a frequent speaker at worldwide conferences, trainings and events. Richard is highly active in the Office 365 community, popular blogger at and can be found on Twitter at @richdizz. Richard is born, raised and based in Dallas, TX, but works on a worldwide team based in Redmond. Richard is an avid builder of things (BoT), musician and lightning-fast runner.


ACoatesA Civil Engineer by training and a software developer by profession, Andrew Coates has been a Developer Evangelist at Microsoft since early 2004, teaching, learning and sharing coding techniques. During that time, he’s focused on .NET development on the desktop, in the cloud, on the web, on mobile devices and most recently for Office. Andrew has a number of apps in various stores and generally has far too much fun doing his job to honestly be able to call it work. Andrew lives in Sydney, Australia with his wife and two almost-grown-up children.

Useful links


Yammer Office 365 Technical Network


The post Episode 130 on SharePoint developer updates with Vesa Juvonen and Daniel Kogan—Office 365 Developer Podcast appeared first on Office Blogs.

Categories: Technology

Patent Troll Battle Update: Doubling Down on Project Jengo

CloudFlare - Thu, 25/05/2017 - 17:00

Project Jengo Doubles In Size
Jengo Fett by Brickset (Flickr)

We knew the case against patent trolls was the right one, but we have been overwhelmed by the response to our blog posts on patent trolls and our program for finding prior art on the patents held by Blackbird Tech, which we’ve dubbed Project Jengo. As we discuss in this post, your comments and contributions have allowed us to expand and intensify our efforts to challenge the growing threat that patent trolls pose to innovative tech companies.

We’re SIGNIFICANTLY expanding our program to find prior art on the Blackbird Tech patents

In a little over a week since we started the program, we’ve received 141 separate prior art submissions. But we know there’s an opportunity to find a lot more.

We’ve been impressed with the exceptionally high quality of the submissions. The Cloudflare community of users and readers of our blog are an accomplished bunch, so we have a number of searches that were done by expert engineers and programmers. In one case that stood out to us, someone wrote in about a project they personally had worked on as an engineer back in 1993, which they are convinced is conclusive prior art to a Blackbird Tech patent. We will continue to collect and review these submissions.

The submissions so far relate to 18 of the 38 Blackbird Tech patents and applications. You can see a summary of the number of submissions per patent here (PDF). You'll see there are still 20 Blackbird Tech patents and applications we’ve yet to receive a submission for.

We’re looking for prior art on 100% of the Blackbird Tech patents. If you are interested in helping, take some time to look into those patents where we don’t have anything yet. We’ll update the chart as we review the submissions with additional information about the number we receive, and their quality, to help focus the search. After the initial review, we’ll start to color code the patents (i.e., red/yellow/green) to demonstrate the number and quality of submissions we’ve received on each patent.

An anonymous benefactor donated another $50K to help invalidate all of Blackbird Tech's patents

And our efforts to cover the field have been re-doubled. We’re excited to report that a friend in the industry who read our blog post and shares our concerns about the corrosive impact of patent trolls has made an anonymous donation of $50,000 to support our efforts to invalidate the Blackbird Tech patents. That means that we are now committing at least $100,000 to the effort to find prior art on and initiate actions to invalidate the Blackbird Tech patents.

We initially dedicated a $50,000 bounty to invalidate Blackbird Tech's patents. We split the bounty so $20,000 was to invalidate the particular patent Blackbird Tech sued us on and $30,000 was to help invalidate any other Blackbird Tech patent. We've received so many prior art submissions on the patent in question in Cloudflare's case that we don't believe we need an additional incentive there. Instead, we're dedicating 100% of the anonymously donated $50,000 to invalidating the other Blackbird Tech patents. This will be used both to boost the bounty we pay to researchers as well as to fund invalidation cases we file with the USPTO. Our goal remains invalidating every one of Blackbird Tech's patents. Again if you want more information about how you can participate, you can find the description here.

And, of course, there will be t-shirts!

Troll Hunter Shirt Design

And it wouldn’t be a cooperative effort in the tech community if we didn’t give out T-shirts to commemorate your participation in the process. You can see the T-shirt design above, all you have to do is provide a legitimate entry of prior art on any of the Blackbird Tech patents and we’ll send one to you (limit one shirt per participant).

Blackbird Tech’s “new model” of patent litigation may be a violation of professional ethics, soon it may also be an explicit violation of law

We think the business operations of the Blackbird Tech attorneys may violate the Rules of Professional Conduct in both Illinois and Massachusetts, where Blackbird Tech’s offices are located and where its co-founders work, and we have asked ethics regulators in those states to undertake a review. But we think it’s worth going a step further and working with innovation-supporting legislators in the states where Blackbird Tech operates to make it absolutely clear this new breed of patent troll is not welcome.

As we mentioned in the original blog post, there have already been several proposals at both the state and federal level to push back and limit the ability of patent trolls to use the courts to bring cases against successful companies. Yet Blackbird Tech is pushing in the other direction and attempting to come up with novel ways to increase the efficiency and effectiveness of patent trolls.

On May 23, 2017, Rep. Keith Wheeler of Illinois introduced a bill (the “Ethics in Patent Litigation Act”) that would make it the public policy of the State of Illinois that attorneys in the state, like Blackbird co-founder Chris Freeman (LinkedIn), should not be able to buy patents themselves for the purpose of suing on them if they are not in the business of any other productive activity. We appreciate Rep. Wheeler’s support of innovation and his stance against patent trolls, feel free to show your support via Twitter below.

In Massachusetts, where Blackbird's other attorney co-founder, Wendy Wendy Verlander (@bbirdtech_CEO; LinkedIn) is based, Sen. Eric Lesser has specifically targeted patent trolls in a bill he introduced earlier this year.

Well done. It's time to stand up to patent trolls. We have a bill in @MA_Senate that will do just that. @ScottKirsner @jonchesto @epaley

— Eric Lesser (@EricLesser) May 19, 2017

You can show your support for Sen. Lesser’s stance on these issues using the Twitter generator below. We will be working with Sen. Lesser in the weeks and months ahead to address our concern about Blackbird Tech’s “new model” of patent troll.

Even though the patent system may be based on Federal law, states have the ability to set rules for how businesses, and especially lawyers, behave in their jurisdictions. So we’re happy to work with interested lawmakers in other states, including Delaware, to advance new laws that limit the practices of patent trolls, including Blackbird Tech’s “new model.” We can share the information we’ve learned and pull together model legislation. If you are interested or know a legislator who may be, feel free to email us.

Blackbird Tech calls themselves “very much the same” as and “almost identical” to a law firm when it suits their purposes, and “not a law firm” when it doesn’t

As we wrote before, we believe Blackbird Tech's dangerous new model of patent trolling — where they buy patents and then act their own attorneys in cases — may be a violation of the rules of professional ethics. In particular, we are concerned that they may be splitting fees with non-attorneys and that they may be acquiring causes of action. Both practices run counter to the rules of professional ethics for lawyers and law firms.

It is increasingly clear to us that Blackbird’s response to questions about their compliance with the rules of professional conduct will be, at best, based on simple agreements that merely create a shortcut around their ethical obligations, and at worst, directly contradictory.

Blackbird Tech wants to have it both ways. In response to the original blog post, Blackbird Tech denied both that it was a law firm and that it used contingency fee agreements. Specifically:

In a phone conversation with Fortune, Blackbird CEO Wendy Verlander said the company is not a law firm and that it doesn't use contingency fee arrangements for the patents it buys, but conceded "it's a similar arrangement."

Ms. Verlander objects to being characterized as a law firm because if Blackbird is found to be one then their practices would be governed by, and may be a violation of, the rules of professional ethics. Ms. Verlander’s denial that Blackbird Tech doesn’t use contingency agreements, only to quickly concede that what they do is “a similar arrangement” suggests again that Blackbird Tech is finding it convenient to work around the ethical rules.

This runs fundamentally counter to the concept of ethical rules, which are meant to be driven by the spirit of those obligations. Anyone out to intentionally “cut corners” or do the “bare minimum” to comply with only the letter of such obligations are by default in violation of the “special responsibilities” which should be driven by “personal conscience” as described in the preamble of the ABA Model Rules.

Wendy Verlander and Chris Freeman, the Founders of the Blackbird Technologies Law Firm

And Ms. Verlander’s unequivocal assertion that Blackbird Tech is not a law firm can be contrasted with sworn statements submitted by Blackbird Tech attorneys to courts last May asserting how much they operate like a law firm. In Blackbird Tech v. Service Lighting and Electrical Supplies, Blackbird Tech CEO Wendy Verlander, Blackbird Tech co-founder Chris Freeman, and Blackbird Tech employee Sean Thompson, each filed declarations in opposition to a proposed protective order.

Protective orders are important in patent litigation. Often, discovery in those cases involves companies handing over highly confidential information about their most important trade secrets or the history of how they developed valuable intellectual property. In most cases, courts limit access to such materials only to outside counsel, as opposed to the parties’ employees and in-house counsel. In-house counsel generally serve a number of functions at a business that include competitive decision-making, either directly or indirectly. Because in-house counsel may benefit from the additional perspective and insight gained by exposure to sensitive trade secrets of a competitor, and are unable to simply wipe their memories clean, courts in patent litigation cases often limit their review of particularly sensitive documents. In such cases, documents classified as “HIGHLY CONFIDENTIAL—ATTORNEY EYES ONLY” are limited to review by outside counsel, who are less likely to face the same sort of business decisions in the future.

When it served their purposes in opposition to a proposed protective order, the Blackbird Tech attorneys were quick to point out how much they operated only like a law firm and distance themselves from their business roles. Their sworn declarations specifically asserted:

  • “Although the structure of Blackbird is unique, the realities of patent litigation at Blackbird are very much the same as patent litigation on behalf of clients at law firms.” (Verlander at ¶13, Freeman at ¶14)

  • “Thus, in many ways, my role at Blackbird as a member of the Litigation Group is identical to my previous role as outside counsel at a law firm.” (Verlander at ¶13, Freeman at ¶14)(emphasis added)

  • “Blackbird’s Litigation Group operates almost identically to outside law firm counsel. Blackbird’s litigators are presented with patents and possible infringers, just as clients bring to law firms. The Blackbird litigators then bring their litigation expertise to bear and thoroughly analyze the patent and the potential infringement case, ultimately deciding whether to move forward with litigation — just as a law firm would evaluate a case. If the Blackbird litigation team identifies a strong infringement case, the litigators draft Complaints and conduct litigation, acting in the same role as outside counsel.” (Verlander at ¶14, Freeman at ¶15)(emphasis added).

  • “On a day-to-day basis, what I do at Blackbird is the same as what I did when practicing at a firm.” (Thompson at ¶2).

This inconsistency points out once again how Blackbird is attempting to gain an advantage by turning traditional roles on their head. If they were a typical company, that was looking to make products using the patents they own, then we’d be able to seek discovery on their products and operations. Instead, they function as a law firm with no business operations that would be subject to the same sort of scrutiny they will apply to a company like Cloudflare.

And they say that they’re not a law firm, yet they expect all their employees, including their CEO, to be permitted to exercise the special role of an attorney “identical to [their] previous role as outside counsel at a law firm.” But it would be difficult for them to deny that their employees, including their CEO, are engaged in impermissible attorney practices like buying causes of actions and giving a financial interest in litigation to non-parties, which are clearly not “identical” to what they would have done “as outside counsel at a firm.” They can’t have it both ways.

Coverage of the blog post took our arguments even further

In our previous blog posts on patent trolls, we thought we’d said about everything there was to say, or at least exhausted anyone who might have something else to say. But we found that most of the reports about our efforts did much more than merely parrot our statements and ask Blackbird Tech for a response. These reports raise some excellent additional points that we expect to use in our ongoing efforts to defend the case brought by Blackbird Tech.

Several of the reporters noted that Blackbird Tech’s claims seem a bit farfetched and found their own factual basis for contesting those claims. Joe Mullin (@joemullin) at Ars Technica noted that the Blackbird Tech patent—particularly in the overbroad way it is applying it in the case against Cloudflare—has prior art that dates back to the beginning of the last century:

The suggestion that intercepting and modifying electronic communications is a 1998 “invention” is a preposterous one. By World War I, numerous state governments had systems in place to censor and edit telegraph and telephone conversations.

Similarly, Shaun Nichols (@shaundnichols) of the Register notes that the differences between the Blackbird Tech patent and our operations are “remarkable”:

In our view, from a quick read of the documentation, Blackbird's design sounds remarkably different to Cloudflare's approach. Critically, the server-side includes described in the patent have been around well before the patent was filed: Apache, for example, had them as early as 1996, meaning the design may be derailed by prior art.

And beyond the legal arguments in the patent case, Techdirt felt that our arguments questioning the operations of Blackbird Tech itself sounded strikingly familiar to another operation that was found to be legally improper:

Righthaven. As you may recall, that was a copyright trolling operation that effectively "bought" the bare right to sue from newspapers. They pretended they bought the copyright (since you can't just buy a right to sue), but the transfer agreement left all the actual power with the newspapers, and courts eventually realized that all Righthaven really obtained was the right to sue. That resulted in the collapse of Righthaven. This isn't exactly analogous, but there are some clear similarities, in having a "company," rather than a law firm (but still run completely by lawyers), "purchase" patents or copyrights solely for the purpose of suing, while setting up arrangements to share the proceeds with the previous holder of those copyrights or patents. It's a pretty sleazy business no matter what — and with Righthaven it proved to be its undoing. Blackbird may face a similar challenge.

It’s probably best to close this post with a statement from Mike Masnick (@mmasnick) of Techdirt that we may save for a closing argument down the road because it summarized the situation better than we had:

Kudos to Cloudflare for hitting back against patent trolling that serves no purpose whatsoever, other than to shake down innovative companies and stifle their services. But, really, the true travesty here is that the company needs to do this at all. Our patent (and copyright) systems seem almost perfectly designed for this kind of shakedown game, having nothing whatsoever to do with the stated purpose of supporting actual innovators and creators. Instead, it's become a paper game abused by lawyers to enrich themselves at the expense of actual innovators and creators.

We will keep you updated. In the meantime, you can contribute to our efforts by continuing to participate in the search for prior art on the Blackbird Tech patents, or you can engage in the political process by supporting efforts to change the patent litigation process. And support folks like Rep. Wheeler or Sen. Lesser with their proposals to limit the power of patent trolls.

twitterwidget { width: 100% !important; } var twitterInterval = setInterval(function(){ var widget = document.querySelector('twitterwidget'); if (!widget) return; var embedded = widget.shadowRoot.querySelector('.EmbeddedTweet'); if (!embedded) return; clearInterval(twitterInterval); = 'none'; }, 100);
Categories: Technology

MariaDB for MySQL Governor updated

CloudLinux - Thu, 25/05/2017 - 16:05

The new updated MariaDB packages for MySQL Governor are available for download from our production repository.





  • added jemalloc support.

To update run:

# yum update cl-MariaDB-meta-client cl-MariaDB-meta cl-MariaDB-meta cl-MariaDB* # restart mysql # restart governor-mysql

To install on a new server:

# yum install governor-mysql # /usr/share/lve/dbgovernor/db-select-mysql --mysql-version=[mariadb version] # /usr/share/lve/dbgovernor/ --install
Categories: Technology

Beta: Imunify360 2.2-12 released

CloudLinux - Thu, 25/05/2017 - 08:21

We are pleased to announce that the new updated beta Imunify360 version 2.2-12 is now available. This latest version embodies further improvements of the product as well as the new features. Imunify360 has also become more reliable and stable due to the bug fixes described below.

Should you encounter any problems with the product or have any questions, comments or suggestions, please contact our support team at Imunify360 department. We’d be more than happy to help you.


  • DEF-1988: fixed ModSecurity audit log parser;
  • DEF-1930: log rotation for captcha log;
  • DEF-1999: panel specific way to count users;
  • DEF-1616: fixed Reputation Management socket error;
  • DEF-1919: added modsec2.imunify.conf to the doctor;
  • fixed path attribute for on-demand scans.

To instal new beta Imunify360 version 2.2-12 please follow the instructions in the documentation.

The upgrading is available since 2.0-19 version.

To upgrade Imunify360 run the command:

yum clean all --enablerepo=imunify360-testing yum update imunify360-firewall --enablerepo=imunify360-testing

More information on Imunify360 can be found here.

Categories: Technology

Imunify360 2.1-12 hotfix release

CloudLinux - Wed, 24/05/2017 - 22:16

We are pleased to announce that the new updated Imunify360 version 2.1-12 is now available. This latest version embodies further improvements of the product as well as the new features. Imunify360 also has become more reliable and stable due to the bug fixes described below.

Should you encounter any problems with the product or have any questions, comments or suggestions, please contact our support team at Imunify360 department. We’d be more than happy to help you.


  • DEF-1919: added modsec2.imunify.conf to the doctor;
  • DEF-1999: panel specific way to count users.

To instal new Imunify360 version 2.1-12 please follow the instructions inthe documentation.

To upgrade Imunify360 run the command:

yum update imunify360-firewall

More information on Imunify360 can be found here.

Categories: Technology

Reflections on reflection (attacks)

CloudFlare - Wed, 24/05/2017 - 19:16

Recently Akamai published an article about CLDAP reflection attacks. This got us thinking. We saw attacks from Conectionless LDAP servers back in November 2016 but totally ignored them because our systems were automatically dropping the attack traffic without any impact.

CC BY 2.0 image by RageZ

We decided to take a second look through our logs and share some statistics about reflection attacks we see regularly. In this blog post, I'll describe popular reflection attacks, explain how to defend against them and why Cloudflare and our customers are immune to most of them.

A recipe for reflection

Let's start with a brief reminder on how reflection attacks (often called "amplification attacks") work.

To bake a reflection attack, the villain needs four ingredients:

  • A server capable of performing IP address spoofing.
  • A protocol vulnerable to reflection/amplification. Any badly designed UDP-based request-response protocol will do.
  • A list of "reflectors": servers that support the vulnerable protocol.
  • A victim IP address.

The general idea:

  • The villain sends fake UDP requests.
  • The source IP address in these packets is spoofed: the attacker sticks the victim's IP address in the source IP address field, not their own IP address as they normally would.
  • Each packet is destined to a random reflector server.
  • The spoofed packets traverse the Internet and eventually are delivered to the reflector server.
  • The reflector server receives the fake packet. It looks at it carefully and thinks: "Oh, what a nice request from the victim! I must be polite and respond!". It sends the response in good faith.
  • The response, though, is directed to the victim.

The victim will end up receiving a large volume of response packets it never had requested. With a large enough attack the victim may end up with congested network and an interrupt storm.

The responses delivered to victim might be larger than the spoofed requests (hence amplification). A carefully mounted attack may amplify the villain's traffic. In the past we've documented a 300Gbps attack generated with an estimated 27Gbps of spoofing capacity.

Popular reflections

During the last six months our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes). Here is the list by popularity of different attack vectors. An attack is defined as a large flood of packets identified by a tuple: (Protocol, Source Port, Target IP). Basically - a flood of packets with the same source port to a single target. This notation is pretty accurate - during normal Cloudflare operation, incoming packets rarely share a source port number!

Count Proto Src port 3774 udp 123 NTP 1692 udp 1900 SSDP 438 udp 0 IP fragmentation 253 udp 53 DNS 42 udp 27015 SRCDS 20 udp 19 Chargen 19 udp 20800 Call Of Duty 16 udp 161 SNMP 12 udp 389 CLDAP 11 udp 111 Sunrpc 10 udp 137 Netbios 6 tcp 80 HTTP 5 udp 27005 SRCDS 2 udp 520 RIP Source port 123/udp NTP

By far the most popular reflection attack vector remains NTP. We have blogged about NTP in the past:

Over the last six months we've seen 3,374 unique NTP amplification attacks. Most of them were short. The average attack duration was 11 minutes, with the longest lasting 22 hours (1,300 minutes). Here's a histogram showing the distribution of NTP attack duration:

Minutes min:1.00 avg:10.51 max:1297.00 dev:35.02 count:3774 Minutes: value |-------------------------------------------------- count 0 | 2 1 | * 53 2 | ************************* 942 4 |************************************************** 1848 8 | *************** 580 16 | ***** 221 32 | * 72 64 | 35 128 | 11 256 | 7 512 | 2 1024 | 1

Most of the attacks used a small number of reflectors - we've recorded an average of 1.5k unique IPs per attack. The largest attack used an estimated 12.3k reflector servers.

Unique IPs min:5.00 avg:1552.84 max:12338.00 dev:1416.03 count:3774 Unique IPs: value |-------------------------------------------------- count 16 | 0 32 | 1 64 | 8 128 | ***** 111 256 | ************************* 553 512 | ************************************************* 1084 1024 |************************************************** 1093 2048 | ******************************* 685 4096 | ********** 220 8192 | 13

The peak attack bandwidth was on average 5.76Gbps and max of 64Gbps:

Peak bandwidth in Gbps min:0.06 avg:5.76 max:64.41 dev:6.39 count:3774 Peak bandwidth in Gbps: value |-------------------------------------------------- count 0 | ****** 187 1 | ********************* 603 2 |************************************************** 1388 4 | ***************************** 818 8 | ****************** 526 16 | ******* 212 32 | * 39 64 | 1

This stacked chart shows the geographical distribution of the largest NTP attack we've seen in the last six months. You can see the packets per second number directed to each datacenter. One our datacenters (San Jose to be precise) received about a third of the total attack volume, while the remaining packets were distributed roughly evenly across other datacenters.

The attack lasted 20 minutes, used 527 reflector NTP servers and generated about 20Mpps / 64Gbps at peak.

Dividing these numbers we can estimate that a single packet in that attack had on average size of 400 bytes. In fact, in NTP attacks the great majority of packets have a length of precisely 468 bytes (less often 516). Here's a snippet from tcpdump:

$ tcpdump -n -r 3164b6fac836774c.pcap -v -c 5 -K 11:38:06.075262 IP -(tos 0x20, ttl 60, id 0, offset 0, proto UDP (17), length 468) > x.x.x.x.47787: [|ntp] 11:38:06.077141 IP -(tos 0x0, ttl 56, id 0, offset 0, proto UDP (17), length 468) > x.x.x.x.44540: [|ntp] 11:38:06.082631 IP -(tos 0xc0, ttl 60, id 0, offset 0, proto UDP (17), length 468) > x.x.x.x.47787: [|ntp] 11:38:06.095971 IP -(tos 0x0, ttl 60, id 0, offset 0, proto UDP (17), length 468) > x.x.x.x.21784: [|ntp] 11:38:06.113935 IP -(tos 0x0, ttl 59, id 0, offset 0, proto UDP (17), length 516) > x.x.x.x.9285: [|ntp] Source port 1900/udp SSDP

The second most popular reflection attack was SSDP, with a count of 1,692 unique events. These attacks were using much larger fleets of reflector servers. On average we've seen around 100k reflectors used in each attack, with the largest attack using 1.23M reflector IPs. Here's the histogram of number of unique IPs used in SSDP attacks:

Unique IPs min:15.00 avg:98272.02 max:1234617.00 dev:162699.90 count:1691 Unique IPs: value |-------------------------------------------------- count 256 | 0 512 | 4 1024 | **************** 98 2048 | ************************ 152 4096 | ***************************** 178 8192 | ************************* 158 16384 | **************************** 176 32768 | *************************************** 243 65536 |************************************************** 306 131072 | ************************************ 225 262144 | *************** 95 524288 | ******* 47 1048576 | * 7

The attacks were also longer, with 24 minutes average duration:

$ cat 1900-minutes| ~/bin/mmhistogram -t "Minutes" Minutes min:2.00 avg:23.69 max:1139.00 dev:57.65 count:1692 Minutes: value |-------------------------------------------------- count 0 | 0 1 | 10 2 | ***************** 188 4 | ******************************** 354 8 |************************************************** 544 16 | ******************************* 342 32 | *************** 168 64 | **** 48 128 | * 19 256 | * 16 512 | 1 1024 | 2

Interestingly the bandwidth doesn't follow a normal distribution. The average SSDP attack was 12Gbps and the largest just shy of 80Gbps:

$ cat 1900-Gbps| ~/bin/mmhistogram -t "Bandwidth in Gbps" Bandwidth in Gbps min:0.41 avg:11.95 max:78.03 dev:13.32 count:1692 Bandwidth in Gbps: value |-------------------------------------------------- count 0 | ******************************* 331 1 | ********************* 232 2 | ********************** 235 4 | *************** 165 8 | ****** 65 16 |************************************************** 533 32 | *********** 118 64 | * 13

Let's take a closer look at the largest (80Gbps) attack we've recorded. Here's a stacked chart showing packets per second going to each datacenter. This attack was using 940k reflector IPs, generated 30Mpps. The datacenters receiving the largest proportion of the traffic were San Jose, Los Angeles and Moscow.

The average packet size was 300 bytes. Here's how the attack looked on the wire:

$ tcpdump -n -r 4ca985a2211f8c88.pcap -K -c 7 10:24:34.030339 IP - > x.x.x.x.25255: UDP, length 301 10:24:34.406943 IP - > x.x.x.x.37081: UDP, length 331 10:24:34.454707 IP - > x.x.x.x.25255: UDP, length 299 10:24:34.460455 IP - > x.x.x.x.25255: UDP, length 289 10:24:34.491559 IP - > x.x.x.x.25255: UDP, length 323 10:24:34.494385 IP - > x.x.x.x.37081: UDP, length 320 10:24:34.495474 IP - > x.x.x.x.37081: UDP, length 288 Source port 0/udp IP fragmentation

Sometimes we see reflection attacks showing UDP source and destination port numbers set to zero. This is usually a side effect of attacks where the reflecting servers responded with large fragmented packets. Only the first IP fragment contains a UDP header, preventing subsequent fragments from being reported properly. From a router point of view this looks like a UDP packet without UDP header. A confused router reports a packet from source port 0, going to port 0!

This is a tcpdump-like view:

$ tcpdump -n -r 4651d0ec9e6fdc8e.pcap -c 8 02:05:03.408800 IP - > x.x.x.x.0: UDP, length 1167 02:05:03.522186 IP - > x.x.x.x.0: UDP, length 1448 02:05:03.525476 IP - > x.x.x.x.0: UDP, length 839 02:05:03.550516 IP - > x.x.x.x.0: UDP, length 1472 02:05:03.571970 IP - > x.x.x.x.0: UDP, length 1328 02:05:03.734834 IP - > x.x.x.x.0: UDP, length 1250 02:05:03.745220 IP - > x.x.x.x.0: UDP, length 1472 02:05:03.766862 IP - > x.x.x.x.0: UDP, length 1122

An avid reader will notice - the source IPs above are open DNS resolvers! Indeed, from our experience most of the attacks categorized as fragmentation are actually a side effect of DNS amplifications.

Source port 53/udp DNS

Over the last six months we've seen 253 DNS amplifications. On average an attack used 7100 DNS reflector servers and lasted 24 minutes. Average bandwidth was around 3.4Gbps with largest attack using 12Gbps.

This is a simplification though. As mentioned above multiple DNS attacks were registered by our systems as two distinct vectors. One was categorized as source port 53, and another as source port 0. This happened when the DNS server flooded us with DNS responses larger than max packet size, usually about 1,460 bytes. It's easy to see if that was the case by inspecting the DNS attack packet lengths. Here's an example:

DNS attack packet lengths min:44.00 avg:1458.94 max:1500.00 dev:208.14 count:40000 DNS attack packet lengths: value |-------------------------------------------------- count 8 | 0 16 | 0 32 | 129 64 | 479 128 | 84 256 | 164 512 | 268 1024 |************************************************** 38876

The great majority of the received DNS packets were indeed close to the max packet size. This suggests the DNS responses were large and were split into multiple fragmented packets. Let's see the packet size distribution for accompanying source port 0 attack:

$ tcpdump -n -r 4651d0ec9e6fdc8e.pcap \ | grep length \ | sed -s 's#.*length \([0-9]\+\).*#\1#g' \ | ~/bin/mmhistogram -t "Port 0 packet length" -l -b 100 Port 0 packet length min:0.00 avg:1264.81 max:1472.00 dev:228.08 count:40000 Port 0 packet length: value |-------------------------------------------------- count 0 | 348 100 | 7 200 | 17 300 | 11 400 | 17 500 | 56 600 | 3 700 | ** 919 800 | * 520 900 | * 400 1000 | ******** 3083 1100 | ************************************ 12986 1200 | ***** 1791 1300 | ***** 2057 1400 |************************************************** 17785

About half of the fragments were large, close to the max packet length in size, and rest were just shy of 1,200 bytes. This makes sense: a typical max DNS response is capped at 4,096 bytes. 4,096 bytes would be seen on the wire as one DNS packet fragment with an IP header, one max length packet fragment and one fragment of around 1,100 bytes:

4,096 = 1,460+1,460+1,060

For the record, the particular attack illustrated here used about 17k reflector server IPs, lasted 64 minutes, generated about 6Gbps on the source port 53 strand and 11Gbps of source port 0 fragments.

We have blogged about DNS reflection attacks in the past:

Other protocols

We've seen amplification using other protocols such as:

  • port 19 - Chargen
  • port 27015 - SRCDS
  • port 20800 - Call Of Duty

...and many other obscure protocols. These attacks were usually small and not notable. We didn't see enough of then to provide meaningful statistics but the attacks were automatically mitigated.

Poor observability

Unfortunately we're not able to report on the contents of the attack traffic. This is notable for the NTP and DNS amplifications - without case by case investigations we can't report what responses were actually being delivered to us.

This is because all these attacks stopped at the network layer. Routers are heavily optimized to perform packet forwarding and have a limited capacity of extracting raw packets. Basically there is no "tcpdump" there.

We track these attacks with netflow, and we observe them hit our routers firewall. The tcpdump snippets shown above were actually fake, reconstructed artificially from netflow data.

Trivial to mitigate

With properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare) it's trivial to block the reflection attacks. But note that we've seen reflection attacks up to 80Gbps so you do need sufficient capacity.

Properly configuring a firewall is not rocket science: default DROP can get you quite far. In other cases you might want to configure rate limiting rules. This is a snippet from our JunOS config:

term RATELIMIT-SSDP-UPNP { from { destination-prefix-list { ANYCAST; } next-header udp; source-port 1900; } then { policer SA-POLICER; count ACCEPT-SSDP-UPNP; next term; } }

But properly configuring firewall requires some Internet hygiene. You should avoid using the same IP for inbound and outbound traffic. For example, filtering a potential NTP DDoS will be harder if you can't just block inbound port 123 indiscriminately. If your server requires NTP, make sure it exits to the Internet over non-server IP address!

Capacity game

While having sufficient network capacity is necessary, you don't need to be a Tier 1 to survive amplification DDoS. The median attack size we've received was just 3.35Gbps, average 7Gbps, Only 195 attacks out of 6,353 attacks recorded - 3% - were larger than 30Gbps.

All attacks in Gbps: min:0.04 avg:7.07 med:3.35 max:78.03 dev:9.06 count:6329 All attacks in Gbps: value |-------------------------------------------------- count 0 | **************** 658 1 | ************************* 1012 2 |************************************************** 1947 4 | ****************************** 1176 8 | **************** 641 16 | ******************* 748 32 | **** 157 64 | 14

But not all Cloudflare datacenters have equal sized network connections to the Internet. So how can we manage?

Cloudflare was architected to withstand large attacks. We are able to spread the traffic on two layers:

  • Our public network uses Anycast. For certain attack types - like amplification - this allows us to split the attack across multiple datacenters avoiding a single choke point.
  • Additionally we use ECMP internally to spread a traffic destined to single IP address across multiple physical servers.

In the examples above, I showed a couple of amplification attacks getting nicely distributed across dozens of datacenters across the globe. In the shown attacks, if our router firewall failed, our physical servers wouldn't receive more than 500kpps of attack data. A well tuned iptables firewall should be able to cope with such a volume without a special kernel offload help.

Inter-AS Flowspec for the rest

Withstanding reflection attacks requires sufficient network capacity. Internet citizens not having fat network cables should use a good Internet Service Provider supporting flowspec.

Flowspec can be thought of as a protocol enabling firewall rules to be transmitted over a BGP session. In theory flowspec allows BGP routers on different Autonomous Systems to share firewall rules. The rule can be set up on the attacked router and distributed to the ISP network with the BGP magic. This will stop the packets closer to the source and effectively relieve network congestion.

Unfortunately, due to performance and security concerns only a handful of large ISP's allow inter-AS flowspec rules. Still - it's worth a try. Check if your ISP is willing to accept flowspec from your BGP router!

At Cloudflare we maintain an intra-AS flowspec infrastructure, and we have plenty of war stories about it.


In this blog post we've given details of three popular reflection attack vectors: NTP, SSDP and DNS. We discussed how the Cloudflare Anycast network helps us avoid a single choke point. In most cases dealing with reflection attacks is not rocket science though sufficient network capacity is needed and simple firewall rules are usually enough to cope.

The types of DDoS attacks we see from other vectors (such as IoT botnets) are another matter. They tend to be much larger and require specialized, automatic DDoS mitigation. And, of course, there are many DDoS attacks that occur using techniques other than reflection and not just using UDP.

Whether you face DDoS attacks of 10Gbps+, 100Gbps+ or 1Tbps+, Cloudflare can mitigate them.

Categories: Technology

Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051

Drupal Contrib Security - Wed, 24/05/2017 - 17:37

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads.

The module doesn't sufficiently sanitize input or restrict uploads.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site verify".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Site Verify 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Site verification module, there is nothing you need to do.


Install the latest version:

Also see the Site verification project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at or via the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at

Categories: Technology

Updated portal and new languages for Microsoft Forms

Microsoft Office - Wed, 24/05/2017 - 17:20

Today, we’re introducing several updates to Microsoft Forms, including improvements to the Forms portal, more languages and right-to-left reading support.

Microsoft Forms portal improvements

We are introducing significant improvements to the Forms portal page. With the new design, users will see a snapshot of each form, which includes the form title, background image and number of responses. The new search box, on the upper right corner, will help users quickly find a form either by its title or owner’s name.

Image shows an updated Forms portal page, displaying snapshots of each form and the new search box.

Updated Forms portal page.

Image shows a Forms portal page with the search results for forms with “quiz” in the title.

Search in Forms portal page.

More languages and right-to-left reading support

With this update, we’re introducing 26 new languages to Forms—bringing the total to 68 languages. We are also enabling RTL (right-to-left) reading support for Hebrew and Arabic users, so users can create and respond to forms, as well as view forms results.

Image shows a form using right-to-left reading support.

Forms RTL (right-to-left) reading support.

Create your own form or quiz

Educators can easily create a new form or quiz, add questions, customize settings, share their forms and check on the results. Just follow these simple steps:

  1. Sign in and create a new survey form or quiz form.
  2. Adjust the settings for the form.
  3. Share the form with others.
  4. Check the form results.
Learn more about using Forms

To learn more, see Copy a form, Delete a form, Share a form or quiz as a template and Share a form to collaborate. Many other top tasks and answers can be found on the What is Microsoft Forms? page, and on the Forms FAQs.

Also, read “Individualizing instruction with the new Microsoft Forms” by Laura Stanner, Microsoft Innovative Educator (MIE) Expert.

We want to hear from you

When teachers talk, we listen. We’re committed to listening to users on how we can keep improving Forms for your everyday use. Please send us feedback on our UserVoice page, where you can vote on other users’ suggestions or add your own ideas on how we can serve you better.

—The Forms team

The post Updated portal and new languages for Microsoft Forms appeared first on Office Blogs.

Categories: Technology

CloudLinux 7 kernel updated

CloudLinux - Wed, 24/05/2017 - 17:06

The new updated CloudLinux 7 kernel version 3.10.0-614.10.2.lve1.4.50 is available for download from our production repository.

Changelog since kernel-3.10.0-427.36.1.lve1.4.47:

  • improved fix for CVE-2017-7895;
  • rebased kernel to OpevVZ rh7-3.10.0-514.10.2.vz7.29.2;
  • fixed a deadlock with hpc backup solution;
  • CLKRN-92: megaraid driver panic fixes;
  • CLKRN-94: improved symlink attack protection by checking nested symlinks;
  • CLKRN-95: reduced high-order allocation impact in filesystem mount code;
  • CLKRN-97: fixed kernel panic on netlink_lookup;
  • CLKRN-104: fixed crashes around rhashtable as part of rebase;
  • CLKRN-105, CLKRN-115: fixed NULL pointer dereferencing in task scheduler;
  • CLKRN-106: avoiding kernel crash when setting vm.vfs_cache_min_ratio to zero in runtime;
  • CLKRN-117: avoiding running out of container ID's;
  • KMODLVE-66: fixed panic while waiting for LVE to be initialized.

To install new kernel please run the following command:

CloudLinux 7:

yum clean all --enablerepo=* && yum install kernel-3.10.0-614.10.2.lve1.4.50.el7 kmod-lve-1.4-50.el7

CloudLinux 6 Hybrid:

yum clean all --enablerepo=* && yum install kernel-3.10.0-614.10.2.lve1.4.50.el6h kmod-lve-1.4-50.el6h
Categories: Technology

What’s new on - April 2017

Drupal - Wed, 24/05/2017 - 16:20

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

DrupalCon Baltimore logo Apr 24-28

At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on If you weren't able to join us for this con, we hope to see you in Vienna! updates DrupalCon Vienna Full Site Launched!

DrupalCon Vienna logo Sep 26-29 2017

Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon!

DrupalCon Nashville Announced with new DrupalCon Brand

DrupalCon Nashville logo Apr 9-13 2018

Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise.

We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event.

Starring Projects

Users on may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results.

Starring Projects

At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox.

Project Browsing Improvements

One of the important functions of is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery.

Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result.

We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development.

Better visual separation of Documentation Guide description and contents

Better Documentation Guide Display

In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides.

Promoting hosting listings on the Download & Extend page

To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the Download and Extend page. We want to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more.

Composer Sub-tree splits of Drupal are now available

Composer Façade

For developers using Composer to manage their projects, sub-tree splits of Drupal Core and Components are now available. This allows php developers to use components of Drupal in their projects, without having to depend on Drupal in its entirety.

DrupalCI Automatic Requeuing of Tests in the event of a CI Error

DrupalCI logo

In the past, if the DrupalCI system encountered an error when attempting to run a test, the test would simply return a "CI error" message, and the user who submitted the test had to manually submit a new test. These errors would also cause the issues to be marked as 'Needs work' - potentially resetting the status of an otherwise RTBC issue.

We have updated's integration with DrupalCI so that instead of marking issues as needs work in the event of a CI Error, will instead automatically queue a retest.

Bugfix: Only retest one environment when running automatic RTBC retests

Finally, we've fixed a bug with the DrupalCI's automatic RTBC retest system. When Drupal HEAD changes, any RTBC patches are automatically retested to ensure that they still apply. It is only necessary to retest against the default or last-used test environment to ensure that the patch will work, but the automatic retests were being tested against every configured environment. We've fixed this issue, shortening queue times during a string of automatic retests and saving testing resources for the project.


As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Technology

Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

Drupal Contrib Security - Wed, 24/05/2017 - 14:59
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-050
  • Project: landing_page (third-party module)
  • Date: 24-May-2017

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer.
If you would like to maintain this module, please read:

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed landing_page module,
there is nothing you need to do.


If you use the landing_page module for Drupal you should uninstall it.

Also see the landing_page project

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at or via
the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at

Categories: Technology

Beta: LVE-Stats 2 updated

CloudLinux - Wed, 24/05/2017 - 10:00

The new updated LVE-Stats 2 with the number of bugfixes and increased stability is available for download from our updates-testing repository.


Release notes:

Fixed problem with sending notifications in DirectAdmin (LVES-720, LVES-730, LVES-716).
Bugs fixed, code optimized.


  • LVES-725: fixed lve-stats-tests for Plesk;
  • LVES-705: correctly show MySQL CPU/IO usage and limit for MySQL Governor all mode (cloudlinux-top);
  • LVES-730: improved the definition of resellers in statsnotifier;
  • LVES-718: fixed a bug when dbgovchart generated incorrect charts (labels);
  • LVES-712: optimized plugins. Iteration #2;
  • LVES-720: made correct configuration for DA for using notifier in it;
  • LVES-716: implemented different email messages for different control panels;
  • LVES-719: corrected MySQLGovernor limit dimension.

To install run:

yum install lve-stats --enablerepo=cloudlinux-updates-testing

To update run:

yum clean all --enablerepo=cloudlinux-updates-testing yum update lve-stats --enablerepo=cloudlinux-updates-testing

To downgrade:

yum downgrade lve-stats
Categories: Technology

Beta: Alt-PHP updated

CloudLinux - Tue, 23/05/2017 - 15:51

The new updated Alt-PHP packages are available for download from our updates-testing repository.






  • ALTPHP-335: updated to 3.1.2.


  • add patches for CVE-2017-9098 and CVE-2017-7606.

To install run the command:

yum install alt-ImageMagick alt-php*phalcon3 --enablerepo=cloudlinux-updates-testing


Categories: Technology

MySQL 5.0 is no longer supported

CloudLinux - Tue, 23/05/2017 - 15:42

We have decided to stop MySQL 5.0 and cl-MySQL50 packages with MySQL Governor support due to a very low usage of the mentioned version and packages being outdated.

These packages will not be included in the further releases of CloudLinux OS.

For those who have MySQL 5.0 and MySQL Governor installed everything will work the same as before, but no more updates or fixes will be released.

If you want to receive updates and bug-fixes we recommend to update your database to MySQL 5.1 or higher. Please use the following instruction to do so:

/etc/init.d/mysql stop cp -R /var/lib/mysql /var/lib/mysql.bkp cd ~; mysqldump -u root -p --all-databases --skip-lock-tables > alldb.sql

update MySQL packages using instructions:

rm -rf /var/lib/mysql/* mysql_install_db --user=mysql

add skip-grant-tables to [mysqld] section of /etc/my.cnf

restart mysql service

mysql -u root -p < alldb.sql

remove skip-grant-tables from [mysqld] section of /etc/my.cnf

restart mysql service

Categories: Technology

Beta: CloudLinux 7 kernel updated

CloudLinux - Tue, 23/05/2017 - 14:57

The new updated CloudLinux 7 kernel version 3.10.0-614.10.2.lve1.4.50 is available for download from our updates-testing repository.

Changelog since 3.10.0-614.10.2.lve1.4.48:

To install new kernel please run the following command:

CloudLinux 7

yum install kernel-3.10.0-614.10.2.lve1.4.50.el7 kmod-lve-1.4-50.el7 --enablerepo=cloudlinux-updates-testing

CloudLinux 6 Hybrid

yum install kernel-3.10.0-614.10.2.lve1.4.50.el6h kmod-lve-1.4-50.el6h --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing
Categories: Technology

Office 365 May news—exciting new value coming with the new Surface Pro

Microsoft Office - Tue, 23/05/2017 - 13:15

Today’s post was written by Kirk Koenigsbauer, corporate vice president for the Office team.

Earlier today, Microsoft announced the availability of Surface Studio, Laptop and Hololens in China along with the new Surface Pro and Surface Pen coming next month. At our event in Shanghai, Panos Panay showcased new inking capabilities in Office apps that are coming first to Windows and brought to life on Surface. These advances make your digital pen faster, more fluid and more personalized, helping you express yourself with rich, creative content.

Inking is smoother, more personalized and collaborative in Office

Inking has become a primary tool for personal expression, and the digital pen a critical way many people work. We’re continuing to improve and evolve the digital inking experience in Office, helping you create, collaborate and share ideas with ink. Building on our announcements last October, today we introduced new inking capabilities coming first to Windows touch-enabled devices and designed to work best with the new Surface Pen:

  • Fast, fluid and expressive ink—The new Surface Pen’s industry-leading technology shines when you write and draw in Office apps. With the new Surface Pen, your ink reacts to your unique touch with increased pressure sensitivity of 4,096 pressure points (from 1,024), as well as new tilt functionality that adjusts the thickness and texture of your ink granularly, based on the angle of your pen. Your ink also flows even more beautifully and effortlessly when you use the new Surface Pen in Office apps, with almost zero latency between your writing and the pen. Simply pick up your Surface Pen and start writing more expressively!

Availability: Increased pressure sensitivity, low-latency and tilt improvements for inking will work automatically for Office 365 subscribers using the new Surface Pen on the new Surface Pro (devices sold separately).
  • A new collaborative whiteboard experience—We showed future inking innovation coming first to the Microsoft Whiteboard app on Windows 10, such as collaborative inking, geometry recognition, table conversion and automatic table shading. Whiteboard is currently available in private preview on Surface Hub, and our vision is to bring it to more Windows 10 devices later this year (including the Surface Studio and Surface Pro, as demoed today) with exclusive capabilities for Office 365 subscribers. This will help you iterate on ideas together with others regardless of the device you’re on. Stay tuned for more!

Microsoft Whiteboard is being shown, including collaborative inking where inking from multiple people is showing up simultaneously with indicators of where each person is inking. Shape conversion, angle recognition, table conversion, and automatic table shading are also being shown.

Microsoft Whiteboard provides a limitless canvas for creativity and collaboration.

Availability: Microsoft Whiteboard is currently available in private preview on Surface Hub devices, and for education customers. It will expand to other Windows 10 devices and more segments later this year, with exclusive capabilities for Office 365 subscribers.
  • More ink options to express yourself—The pencil texture and ink effects like rainbow, galaxy, lava, ocean, gold, silver and more are coming to Word, Excel and PowerPoint. This helps you showcase your creativity in new ways with drawing and writing that pops off the page.

A drawing is being shown in PowerPoint with pencil texture and ink effects used to color in the images.

Express yourself with the pencil texture and ink effects in Word, Excel and PowerPoint.

Availability: The pencil texture and ink effects in Word, Excel and PowerPoint on Windows desktops are coming in June, for Office Insiders Fast. The ink effects will also be available more broadly with the June Office 365 updates. Both the pencil texture and rainbow, galaxy, gold and silver ink effects were already available in OneNote for Windows 10 (ink effects require an Office 365 subscription).
  • A digital pencil case that goes where you go—Office apps now include a customizable gallery for your favorite pens, pencils and highlighters, which automatically roams with you across apps and devices. This means your personalized inking tools stay handy wherever you work.

The new customizable and roaming pens gallery is being shown in Word, including customization options showing in a dropdown for a selected pen currently set to the lava ink option.

The new customizable pens gallery roams with you across apps and devices.

Availability: The new customizable and roaming pens gallery in Word, Excel and PowerPoint on Windows desktops is coming with the June Office 365 updates. The new customizable pens gallery in OneNote for Windows 10 is also coming in June for all customers, with roaming coming later this year. Updates for Office 365 commercial customers

This month, we have updates for our commercial subscribers including new tools for understanding and transforming their organizations, as well as new capabilities and a look at our vision and roadmap for SharePoint:

  • Office 365 adoption content pack in Power BIThe new Office 365 adoption content pack in Power BI combines the intelligence of Office 365 usage reports with the interactive reporting capabilities of Power BI. This means admins can visualize and analyze their organization’s Office 365 usage data, create custom reports and share the insights with Power BI—pivoting by attributes such as location and department. This better understanding of how their users adopt and use Office 365 can help admins drive more targeted end user training and communication.

The dashboard of the Office 365 adoption content pack in Power BI is being shown in a web browser.

Understand Office 365 usage and drive targeted end user training with the new Office 365 adoption content pack in Power BI.

Availability: The Office 365 adoption content pack in Power BI is available in public preview for Office 365 commercial customers.
  • Inform and engage employees with SharePoint communication sites—Introduced at SharePoint Virtual Summit, SharePoint communication sites let you create beautiful, mobile-ready intranet sites. While SharePoint team sites allow sharing of content, knowledge and apps within your group, communication sites let you share resources, news and information with a broad audience, across the organization. Integration with Yammer lets you engage your audience, solicit feedback and encourage best practice sharing. Communication sites are easy to create, customizable and look great on whatever device you use. Learn more about communication sites.

A SharePoint communication site is being shown, including company news, key documents, upcoming events, training videos, an integrated Yammer discussion feed, and more.

Create beautiful communication sites to reach a broad audience across your organization.

Availability: Communication sites in SharePoint are coming to First Release for Office 365 commercial customers starting in June.
  • Access all your files in File Explorer—Introduced at Build, OneDrive Files On-Demand allows you to access all your work and personal files in the cloud without having to download them to your device and use up storage space. This helps you work the way you’re used to, with all your files—even online files—visible in File Explorer and available whenever you need them.

OneDrive Files On-Demand is being shown, with a File Explorer view showing files in the cloud and on the user’s device, as well as the ease with which a cloud document can be opened.

Access all your work and personal cloud files in File Explorer, without downloading them and using up storage space.

Availability: OneDrive Files On-Demand is coming to Windows 10 Insider Preview early this summer and will be publicly available with the Windows 10 Fall Creators Update.
  • Share from File Explorer and Finder on Mac—Introduced at SharePoint Virtual Summit, a new unified sharing experience for OneDrive lets you share files or folders with specific people right from your desktop, as well as send sharing links to people inside or outside your organization. You can also easily view or modify the permissions you have granted, including how long access will last. Learn more about the unified sharing experience for OneDrive.

The new unified sharing experience for OneDrive is being shown in File Explorer. A file has been selected and a colleague is being granted the desired level of access permissions.

Easily share OneDrive files and folders with colleagues inside and outside your organization.

Availability: The new unified sharing experience will start rolling out to consumers and Office 365 commercial customers in June and July. It will be consistent across File Explorer on Windows 10 and Windows 7, Finder on Mac and on the web.
  • SharePoint and Microsoft PowerApps integration—As announced at SharePoint Virtual Summit, you’ll soon be able to use PowerApps to easily create custom forms and rich, digital experiences right from within a SharePoint list or library. This will help your company transform team and organizational processes, with users creating, viewing and interacting with data from your custom form or app, rather than default SharePoint forms. Learn more about PowerApps integration with SharePoint.

PowerApps integration with a SharePoint site is being shown, with a new purchase request being populated within a form integrated via Microsoft PowerApps.

PowerApps integration will let your users create, view and interact with data within an app from within SharePoint lists and libraries.

Availability: Custom SharePoint forms built with Microsoft PowerApps will be available starting this summer, for Office 365 commercial customers. Other Office 365 updates this month

Learn more about what’s new for Office 365 subscribers this month at: Office on Windows desktops | Office for Mac | Office Mobile for Windows | Office for iPhone and iPad | Office on Android. If you’re an Office 365 Home or Personal customer, be sure to sign up for Office Insider to be the first to use the latest and greatest in Office productivity. Commercial customers on both Current Channel and Deferred Channel can also get early access to a fully supported build through First Release. This site explains more about when you can expect to receive the features announced today.

—Kirk Koenigsbauer

The post Office 365 May news—exciting
new value coming with the
new Surface Pro
appeared first on Office Blogs.

Categories: Technology

Beta: mod_lsapi updated

CloudLinux - Tue, 23/05/2017 - 09:59

The new updated mod_lsapi packages for CloudLinux 6 and 7 as well as for Apache 2.4 (CloudLinux 6) and EasyApache 4 (CloudLinux 6 and 7) are available from our updates-testing repository.


mod_lsapi 1.1-11

ea-apache24-mod_lsapi 1.1-11

httpd24-mod_lsapi 1.1-11

  • MODLS-401: added dynamic tuning of lsapi_backend_children parameter;
  • MODLS-410: priority of php_value from httpd.conf lowered to PERDIR.

To update:

cPanel & RPM Based

$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing $ yum update mod_lsapi --enablerepo=cloudlinux-updates-testing $ service httpd restart


$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing $ cd /usr/local/directadmin/custombuild $ ./build set cloudlinux_beta yes $ ./build update $ ./build mod_lsapi

To install, follow the instructions on the link:

For EasyApache 4

To update:

$ yum update liblsapi liblsapi-devel ea-apache24-mod_lsapi --enablerepo=cl-ea4-testing --enablerepo=cloudlinux-updates-testing $ service httpd restart

If you are using ea-apache24-mod_lsapi-1.1-9 or lower, then after the update all of your domains that used mod_lsapi will be switched to suPHP as default PHP handler used from MultiPHP Manager. To turn on mod_lsapi back, go to MultiPHP Manager and chose lsapi handler.

To install:

$ yum-config-manager --enable cl-ea4-testing $ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing


$ yum-config-manager --disable cl-ea4-testing

Go to MultiPHP Manager and enable mod_lsapi on your domains through lsapi handler

To remove mod_lsapi:

Before deleting mod_lsapi, make sure to change the lsapi handler to any other from MultiPHP Manager (optional).

http24 for CloudLinux 6

For installation/update run:

$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing $ yum install httpd24-mod_lsapi --enablerepo=cloudlinux-updates-testing
Categories: Technology

Announcing the public preview of the Office 365 adoption content pack in PowerBI

Microsoft Office - Mon, 22/05/2017 - 17:00

Since March 2016, the usage reports in the Office 365 admin center have been providing admins with insights about how users adopt and use the various services in Office 365. Today, we’re pleased to announce the public preview of the Office 365 adoption content pack in Power BI, which enables customers to get more out of Office 365.

The content pack combines the intelligence of the usage reports with the interactive analysis capabilities of Power BI, providing rich usage and adoption insights. With these insights, admins can drive more targeted user training and communication that helps them transform how their organizations communicate and collaborate, enabling a truly modern workplace.

Insights you can act on

Office 365 gives users the freedom to work from anywhere and the services they need to be more productive and collaborative. Sometimes, however, people need a helping hand to get started with Office 365. For example, if someone doesn’t use Skype for Business, they might not know how to get started using Skype or understand how they can leverage it to communicate better. In either case, the IT department might want to connect with this person to provide them with more information or training resources.

The new Office 365 adoption content pack gives you a cross-product view of how users communicate and collaborate to help IT admins provide more targeted user communication. When you better understand how employees use the various services within Office 365, it is easy to decide where to prioritize training and communication efforts. The content pack lets admins further visualize and analyze their Office 365 usage data, create custom reports, share insights and understand how specific regions or departments use Office 365.

Gain deep insights on usage trends

The centerpiece of the content pack is a pre-built dashboard, which provides IT admins with a cross-product view of how users are accessing the suite of products within Office 365. For most of the metrics, the content pack provides data for the last 12 months, so you can easily see how usage is trending and has evolved over time.

The dashboard is split up into four main areas: Understanding adoption, Communication, Collaboration and Activation. Each area provides you with specific usage insights.

Understanding adoption area—Offers an all-up summary of adoption trends that helps you understand how users have adopted Office 365. You can easily see how many licensed users actively use the various Office 365 services, what combination of products are popular within your organization, and analyze adoption trends for individual products.

Communication area—Highlights the services that people use to communicate, such as Skype for Business, Exchange and Yammer. You can see which communication methods are used most by users and drill into details to understand if there are any shifts in how employees use the various tools to communicate.

Collaboration area—Shows how people in your organization use OneDrive for Business and SharePoint to store documents and work together—including how many users are active on their own accounts versus accounts owned by others. This information is a good indicator to understand if people use OneDrive for Business and SharePoint primarily to just store files, or if they are also using these services to share content and collaborate with others.

Activation area—Helps you understand Office 365 ProPlus, Project Pro and Visio Pro activations in your organization. You can easily see how many users have activated the products, enabling admins to ensure that users have the latest versions of Office applications. The report also provides information about the type of device users have activated the products on, helping admins understand what devices are popular in their organization and how many users work on the go.

Access richer usage insights

Every organization has unique questions around usage and adoption. The content pack helps answer these questions, enabling you to pivot, analyze, customize and share the information.

Analyze usage by department, organization or location—Many of you want a full picture of how specific departments or regions use Office 365. To enable these advanced analytics scenarios, the content pack combines the usage data of users with their information in Azure Active Directory (AAD). You can pivot the reports by AAD attributes like location, department or organization information.

Leverage built-in filters to get insights relevant to you—On many reports, contextual filters allow you to easily slice and dice the data available, for example, to understand adoption trends for individual products.

Quickly find out who your power users are—The content pack includes a user activity report for each service to identify power users. These users typically have very thorough product knowledge and can help train other users. They can share how they are using the service, how it helps them every day to be productive, and offer tips on how to get started. Power users can help lead the digital transformation in your organization by example. The user activity report also lets you identify users that have yet to use a particular product. Armed with this information, you can be very targeted in your adoption campaigns.

Customize the content pack—The dashboard and the underlying reports are templates to help you quickly get started with the content pack. The true power of the content pack lies in the underlying data. We want admins to have full control over their data, so we have made sure that you can customize the content pack and structure the charts based on your organization’s needs.

There are three ways to customize the content pack:

  • Take one of the pre-built visuals and modify it—by removing information or by changing the visual format, for example.
  • Create a brand-new visual by leveraging the underlying data sets.
  • Connect to the pbit file in Power BI Desktop, which enables you to bring in your own data sources.

Share the content pack—Using the sharing capabilities of Power BI Pro, you can easily share the dashboard with people both inside and outside of your organization, such as business stakeholders or your leadership team.

Importance of your feedback

We’d like to thank each one of you who participated in the limited preview and who provided feedback on the early versions of the content pack. Over the past several months, we have received numerous pieces of feedback that have helped us identify gaps and ensure that the content pack provides you with actionable insights. And it’s great to hear how it’s already helping many of you to derive even more value out of Office 365:

The adoption content pack is one of the best Office 365 admin tools for us. It gives us a clear picture of how our organization uses Office 365, and it allows us to get really targeted in our user training efforts, as we know exactly how each user uses the products—or often more important—does not use the products yet.”
—Customer feedback

Get started with the content pack

The content pack is available to all customers free of charge. You’ll only need the free Power BI service to connect to the content pack—use your Office 365 admin account to sign up. You can also customize the dashboards and reports with the free Power BI service. To connect to the content pack, you first need to enable it in the Office 365 admin center. On the Usage Reports page, you will see a new card at the bottom of the page where you can opt in to the content pack. This step kicks off a workflow that generates your historical usage trends. This data processing task takes between 2 and 48 hours, depending on the size of your organization and how long you’ve been using Office 365. After data preparation is complete, it’s ready to show in the content pack. Please follow the steps described to connect to the content pack for your organization.

Please note that you must be a global admin or a product admin (Exchange, Skype for Business, SharePoint) to connect to the content pack.

Learn more

You can find additional information about the content pack, including FAQs, in the following support articles:

If you have questions, please post them in the adoption content pack group in the Microsoft Tech Community. Also, join us for an Ask Microsoft Anything (AMA) session, hosted by the Microsoft Tech Community on June 7, 2017 at 9 a.m. PDT. This live online event will give you the opportunity to connect with members of the product and engineering teams who will be on hand to answer your questions and listen to feedback. Add the event to your calendar and join us in the adoption content pack in Power BI AMA group.

Let us know what you think!

Try the public preview of the Office 365 adoption content pack in Power BI and provide feedback using the feedback link in the lower-right corner of the Usage Reports page in the admin center. And don’t be surprised if we respond to your feedback. We truly read every piece of feedback that we receive to make sure the Office 365 reporting experience meets your needs.

—Anne Michels, @Anne_Michels, senior product marketing manager for the Office 365 Marketing team

The post Announcing the public preview of the Office 365 adoption content pack in PowerBI appeared first on Office Blogs.

Categories: Technology

The 5th Annual China PHP Conference

PHP - Mon, 22/05/2017 - 12:50
Categories: Technology


Subscribe to aggregator - Technology
Automated Visitors