Featured Item

cPanel Security Team: Bash CVE-2014-6217 and CVE-2014-7169

Bash CVE-2014-6217 and CVE-2014-7169

CVE-2014-6217 is a critical vulnerability in all versions of GNU Bash, the Bourne Again Shell.This vulnerability allows an attacker to execute arbitrary shell commands any time a Bash shell executes with environmental variables supplied by the attacker. On cPanel & WHM systems, there are numerous entry points where this vulnerability could be exploited. This blog post from Red Hat demonstrates how such attacks are possible: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

CVE-2014-7169 is a second vulnerability in all versions of GNU Bash. This second CVE covers attack vectors that were not fixed in the initial updates for CVE-2014-6217. Targeting CVE-2014-7169 is more complicated for an attacker. The authors of GNU Bash are currently working on updates to address CVE-2014-7169. This article from Red Hat has additional details about this flaw: https://access.redhat.com/articles/1200223

What does this mean for cPanel servers?

cPanel & WHM does not provide any copies of the Bash shell. The Red Hat, CentOS and CloudLinux operating systems that cPanel & WHM is installed on provide the Bash shell as their default /bin/sh interpreter. All three distros have published patched versions of the Bash shell to their mirrors to address CVE-2014-6217. To update any affected servers, run “yum clean all” to clear YUM’s local caches followed by “yum update” to install the patched version of Bash. After Bash is updated you should reboot the system.

You can ensure you are updated by running the command “rpm -q bash”. The package information displayed should match the version numbers provided by Red Hat at https://access.redhat.com/solutions/1207723

Red Hat Enterprise Linux 7 – bash-4.2.45-5.el7_0.2
Red Hat Enterprise Linux 6 – bash-4.1.2-15.el6_5.1
Red Hat Enterprise Linux 5 – bash-3.2-33.el5.1

RedHat, CentOS and CloudLinux are expected to release additional updates to address CVE-2014-7169. Once these updates are released, you should repeat the update process for the new version of Bash.

Notifications about security updates for Red Hat, CentOS, and CloudLinux can be found at the following URLs:

Red Hat http://www.redhat.com/mailman/listinfo/rhsa-announce
CentOS http://lists.centos.org/mailman/listinfo/centos-announce
CloudLinux http://cloudlinux.com/blog/

What steps do I need to take as an Admin/root of our servers running cPanel & WHM?

Once the RPM of Bash has been updated and the system rebooted, you are fully protected.

cPanel also recommends that you configure the system to automatically update both the base operating system and the cPanel & WHM software automatically. These settings are located in WHM’s “Update Preferences” interface.

Posted in: News, Security | Tagged:
Featured Item

Enkompass EOL Notice

All versions of Enkompass reached EOL on February 2014. Effective immediately, Enkompass will no longer be available for download, licensing, or indirect support. In accordance with our EOL policy [http://go.cpanel.net/eol], Enkompass will continue to function on servers after it reaches EOL. However, we will not provide further updates (for example, security fixes and installations) for Enkompass version 3.0 after it reaches its EOL date.

Support, including documentation and online forums will no longer be available through cPanel, Inc. as of this notice.

For the PGP-signed message, see Enko-EOL.

Posted in: News, Release Announcements | Tagged: , ,

11.40 EOL, 1 Month Notice

cPanel & WHM software version 11.40 will reach End of Life at the end of October 2014.

In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.40 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.40 once it reaches its EOL date.

We recommend that all customers migrate any existing installations of cPanel & WHM 11.40 to a newer version (either 11.42 or 11.44).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at http://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.40 30 day notice-signed.

Posted in News, Release Announcements | Tagged: , ,

EasyApache to Install Apache 2.4 in Basic Profile – 60 Day Notice

In approximately 60 days, the Basic profile in EasyApache will build Apache 2.4 by default. This change will not alter existing EasyApache profiles that build Apache 2.2. If you plan to update from an existing Apache 2.2 installation to Apache 2.4, we strongly recommend that you build in a test environment before you migrate Apache versions on a production server.

Review the following links for more information on the differences between Apache 2.2 and 2.4:

http://documentation.cpanel.net/display/EA/Critical+Changes+In+Apache+2.4

http://httpd.apache.org/docs/trunk/upgrading.html

Posted in News, Software Updates | Tagged: ,

cPanel TSR-2014-0007 Full Disclosure

Case 109049

Summary

Arbitrary file overwrite in /scripts/synccpaddonswithsqlhost.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The synccpaddonswithsqlhost script performed unsafe file operations inside the home directories of unprivileged users while running with root’s permissions. By manipulating symbolic links within the .cpaddons sub-directory, a local attacker could overwrite arbitrary files with known data.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.44.1.18
11.42.1.26
11.40.1.21

Continue reading

Posted in News, Security | Tagged: , ,

cPanel TSR-2014-0007 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

Continue reading

Posted in News, Security | Tagged: , ,

EasyApache 3.26.7 Released

SUMMARY
cPanel, Inc. has released EasyApache 3.26.7 with Apache version 2.2.29. This release addresses vulnerabilities CVE-2014-0118, CVE-2014-0231, CVE-2014-0226 and CVE-2013-5704. We encourage all Apache 2.2 users to upgrade to Apache version 2.2.29.

Continue reading

Posted in News, Software Updates | Tagged: , , , ,

11.40 EOL, 2 Month Notice

cPanel & WHM software version 11.40 will reach End of Life at the end of October 2014.

In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.40 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.40 once it reaches its EOL date.

Continue reading

Posted in News, Release Announcements | Tagged: , ,

EasyApache 3.26.6 Released

SUMMARY
cPanel, Inc. has released EasyApache 3.26.6 with PHP versions 5.4.32 and 5.5.16. This release addresses vulnerabilities CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120, CVE-2014-3597, CVE-2014-4670 and CVE-2014-4698. We encourage all PHP 5.4 users to upgrade to PHP version 5.4.32 and all PHP 5.5 users to upgrade to PHP version 5.5.16.

Continue reading

Posted in News, Software Updates | Tagged: , , , ,

11.44 Now in STABLE Tier

8/20/2014
Houston, TX -

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which is now available in the STABLE tier.

Continue reading

Posted in News, Press Releases, Release Announcements | Tagged: , , ,
Page 1 of 3112345...102030...Last »