cPanel TSR-2014-0003 Announcement

cPanel TSR-2014-0003 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Critical.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.42.0.23 & Greater
* 11.40.1.13 & Greater
* 11.38.2.23 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 47 vulnerabilities in cPanel & WHM software versions 11.42, 11.40, and 11.38.

Additional information is scheduled for release on March 26th, 2014.

For information on cPanel & WHM Versions and the Release Process, read our documentation at:

http://go.cpanel.net/versionformat

For the PGP signed message, please go to: http://cpanel.net/wp-content/uploads/2014/03/TSR-2014-0003-Accouncement.txt

EasyApache 3.24.13 Released

SUMMARY
cPanel, Inc. has released EasyApache 3.24.13 with Apache version 2.4.9. This release addresses Apache vulnerabilities CVE-2014-0098 and CVE-2013-6438, by fixing bugs in the mod_log_config and mod_dav modules. We encourage all Apache users to upgrade to Apache version 2.4.9.

AFFECTED VERSIONS
All versions of Apache version 2.4 before 2.4.9.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0098 – MEDIUM

Apache 2.4.9
Fixed bug in the mod_log_config module related to CVE-2014-0098.

CVE-2013-6438 – MEDIUM

Apache 2.4.9
Fixed bug in the mod_dav module related to CVE-2013-6438.

SOLUTION
cPanel, Inc. has released EasyApache 3.24.13 with updated version of Apache version 2.4 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest version of Apache automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6438
http://httpd.apache.org/docs/trunk/new_features_2_4.html

For the PGP-signed message, see EA3 CVE 3-24-13-signed.

11.42 Now in STABLE Tier

3/17/2014
Houston, TX –

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.42, which is now available in the STABLE tier.

cPanel & WHM version 11.42 offers a brand new theme, an upgrade to Horde Groupware Webmail, and more.

Paper Lantern Theme
As part of 11.42, cPanel & WHM introduces Paper Lantern, a modern, powerful theme. With its simplified design, beautiful icon set, and thoughtful feature names, this edition of Paper Lantern is only the beginning.

Horde Groupware Webmail Upgrade
cPanel & WHM now uses Horde Groupware Webmail Edition 5.1. This upgrade provides a simple webmail application for all users, regardless of experience level.

Detailed information on all cPanel & WHM version 11.42 features can be found at https://documentation.cpanel.net.* An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

*Please note the updated URL for cPanel & WHM Documentation.

EasyApache 3.24.12 Released

SUMMARY
cPanel, Inc. has released EasyApache 3.24.12 with PHP versions 5.5.10 and 5.4.26. This release addresses PHP vulnerabilities CVE-2014-1943, CVE-2014-2270, and CVE-2013-7327 by fixing bugs in the Fileinfo and GD modules. We encourage all PHP users to upgrade to PHP versions 5.5.10 and 5.4.26.

AFFECTED VERSIONS
All versions of PHP 5.4 before 5.4.26.
All versions of PHP 5.5 before 5.5.10.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-1943 – MEDIUM

PHP 5.4.26
Fixed bug in the Fileinfo module related to CVE-2014-1943.

PHP 5.5.10
Fixed bug in the Fileinfo module related to CVE-2014-1943.

CVE-2014-2270 – MEDIUM

PHP 5.4.26
Fixed bug in the Fileinfo module related to CVE-2014-2270.

PHP 5.5.10
Fixed bug in the Fileinfo module related to CVE-2014-2270.

CVE-2013-7327 – MEDIUM

PHP 5.5.10
Fixed bug in the GD module related to CVE-2013-7327.

SOLUTION
cPanel, Inc. has released EasyApache 3.24.12 with updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1943
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2270
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7327
http://www.php.net/ChangeLog-5.php#5.5.10
http://www.php.net/ChangeLog-5.php#5.4.26

For the PGP-signed message, see EA3-CVE-3-24-12-signed.

EasyApache End of Life Warning Messages

Since the release of EasyApache 3.24.11, you may have noticed a variation of the following warning message when starting EasyApache:

Your server is currently on cPanel & WHM version 11.36.2.12. This version of cPanel & WHM has reached End of Life.

cPanel & WHM version 11.36.2.12 will continue to receive updates to EasyApache for 90 days after February 10, 2014. To receive EasyApache updates after May 11, 2014, you must update the cPanel & WHM version on this server.

For more information on how to upgrade cPanel & WHM, visit upgrade cPanel and WHM version.

If you receive this warning message, then your server is running a version of cPanel & WHM that has reached End of Life (EOL)*. We will continue to provide EasyApache updates for EOL versions of cPanel & WHM until May 11, 2014. However, we strongly encourage users running EOL versions of cPanel & WHM to upgrade before this date.

If your server runs an EOL version of cPanel & WHM after May 11, 2014, then the functionality of EasyApache will change in the following ways:

  • Your server will no longer receive EasyApache updates, which include Apache and security patches.
  • You will no longer be able to update or change components within EasyApache.
  • You will only be able to rebuild the last successful profile.

For example, after May 11, 2014, a server running cPanel & WHM version 11.36 and Apache version 2.2 will not be able to rebuild EasyApache with Apache version 2.4. Even minor version updates will not be possible after this date. For instance, an update from PHP 5.4.24 to 5.4.25.

These changes to EasyApache functionality will allow the EasyApache development team to provide you with the following improvements:

  • Quicker EasyApache release cycles
  • More feature development
  • More bug fixes
  • Fewer EasyApache security issues related to the support of out-of-date software

For more information on the cPanel & WHM upgrade process, visit Upgrade to Latest Version.

You can also follow the EasyApache development team’s progress on the upcoming Optimized Profiles feature via the EasyApache forums and cPanel Blog.

*On February 28, 2014, cPanel & WHM versions 11.36 and earlier reached EOL. In April 2014, cPanel & WHM version 11.38 will also reach EOL.