11.32 Impending EOL

cPanel & WHM 11.32 reaches End Of Life August 20, 2013. That means there are only 5 months left in the life cycle.

In accordance with our End of Life Policy cPanel & WHM 11.32 will continue functioning on servers after reaching End Of Life. No further updates, including security fixes, or installations will be provided for 11.32 after the End Of Life date.

cPanel & WHM 11.32 is the last version to support the following:

  • CentOS 4
  • RHEL 4
  • MySQL 4.0
  • MySQL 4.1

All customers currently using cPanel & WHM 11.32 are advised to begin planning the upgrade to cPanel & WHM 11.36 (EOL Date: March 2014). If you desire assistance with your migration plans, please contact our technical support team at https://tickets.cpanel.net/submit/. Our professional staff will help with recommendations, migration assistance and more.

GPG signed version is available

Posted in News

11.36 Pushed to RELEASE Tier

March 11, 2013
Houston, TX-

cPanel Inc., announces the release of cPanel & WHM 11.36 to the RELEASE tier.

Included in this brand new release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation allows a variety of checks to occur prior to changing the cPanel & WHM installation. This makes both new installation, and upgrades, more reliable.

cPanel & WHM 11.36 also brings an entirely new system for managing applications, based upon the tried-and-true RPM packaging format. By distributing applications via RPM we are able to reduce cPanel & WHM installation time by 30%, on average. The new system also provides integrators and system deployers a simplified means of distributing applications with cPanel & WHM.

We are happy to announce that cPanel & WHM 11.36 brings a modern version of perl with it. Perl 5.14 is available with all versions of 11.36 and newer. This change brings an end to the older perl 5.8.8 distributed with prior versions of cPanel & WHM.

Also in cPanel & WHM 11.36 is support for Apache 2.4, provided via EasyApache. Apache 2.4 brings many new features and performance benefits to your web hosting platform.

Other features are also available in version 11.36:

The email auto discovery feature, first introduced in cPanel & WHM 11.34, has been updated with improved compatibility with existing setups.
It is now possible to display the number of files used by an account, in the cPanel Stats Bar.
The ability to track mail sent by web applications is improved through new functions to query the web server, and with X-PHP-Script functionality added to PHP.

cPanel thanks the members of our EDGE-Users community for their feedback and testing of the development releases. If you would like to join this community please GO HERE: http://go.cpanel.net/cpmailinglist

Please note, after upgrading to the new release, a downgrade to an older version will not be permitted.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web- based interfaces.

Posted in News, Press Releases, Release Announcements | Tagged: ,

2013-02-26 cPanel & WHM Security Advisory for 11.32, 11.34, and 11.36

The following disclosure covers the Targeted Security Release
2013-02-26. Each vulnerability is assigned an internal case number which
is reflected below.

Information regarding cPanel’s Security Level rankings can be found
here:

http://go.cpanel.net/securitylevels

Case 63700

Summary

File disclosure and code execution using API 2 call

Security Rating

cPanel has assigned a Security Level of “Important” to this
vulnerability.

Description

cPanel & WHM provide an API 2 call that allows branding code to include files
that are on the system. This function can also be called remotely. The
function did not check that the files requested were within the appropriate
document root, so arbitrary files could be read. Additionally, there
was the possibility to leverage this with another, third-party
vulnerability to execute arbitrary code.

cPanel would like to thank J.D. Lightsey of cPanel for discovering and
reporting this issue.

Solution

This issue is resolved in the following builds:

11.36.0.10 and greater
11.34.1.11 and greater
11.32.6.2 and greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 63624

Summary

Cross-site scripting attack in countedit.cgi

Security Rating

cPanel has assigned a Security Level of “Trivial” to this vulnerability.

Description

cPanel & WHM provides a script to edit website counters. Due to
insufficient input validation, a cross-site scripting attack was
possible. This could result in the counter information not being
correctly updated.

cPanel would like to thank Douglas Secco dos Santos of Andrade Soto
Information Security for discovering and reporting this issue.

Solution

This issue is resolved in the following builds:

11.36.0.10 and greater
11.34.1.11 and greater
11.32.6.2 and greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 63678

Summary

Unsafe temporary file in update blocker leading to symlink attack

Security Rating

cPanel has assigned a Security Level of “Important” to this
vulnerability.

Description

cPanel & WHM version 11.36 verifies that all disks are writable when
performing an upgrade. However, when testing this by writing files to
the system temporary directory, files were created with predictable names,
which could be exploited with a symlink attack to overwrite any file on
the system with predictable data. This issue affected only 11.36
systems.

cPanel would like to thank Jeff Petersen of cPanel for discovering and
reporting this issue.

Solution

This issue is resolved in the following builds:

11.36.0.10 and greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Posted in key, Security | Tagged: , ,

cPanel, Inc. Announces Additional Internal Security Enhancements

This is a follow up on the status of the security compromise that cPanel, Inc. experienced on Thursday, February 21, 2013.

As mentioned in our email sent to cPanel Server Administrators who’ve opened a ticket with us in the past 6 months, on February 21 we discovered that one of the proxy servers we utilize in the technical support department had been compromised. The cPanel Security Team’s investigation into this matter is ongoing.

We’d like to relay additional details about the intrusion that we have gathered with you, and we want to explain what preventative measures we’re putting into place that will introduce additional layers of security to our new and existing systems. How the server was accessed and compromised is not clear, but we know a few key facts that we’re sharing.

Here’s what we know:

The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of our Technical Analysts. It’s intent was to provide a layer of security between local & remote workstations, as well as customer servers.
This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of our Technical Analysts.
Only a small group of our Technical Analysts used this particular machine for logins, which means that fortunately only some customers who opened a ticket in the past 6-months would be affected by this compromise.
There is no evidence that any sensitive customer data was exposed, and there is no evidence that the actual database was compromised.

Here’s what we’re doing about it:

Documentation is now provided at:http://go.cpanel.net/checkyourserver which we encourage system administrators to use to determine the status of their machine.

We have restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. We have also been working on implementing multiple changes to our internal support systems and procedures as outlined for your information below.

Our system will now generate and provide you with a unique SSH key for each new support ticket submitted.
We are providing tools to authorize and de-authorize SSH keys, along with instructions on how to use them whenever you submit a ticket.

Our system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while our staff is logged into your server.
Additional enhancements are also planned behind the scene that should be transparent to our customers.
With these new layers of security in place, it is now possible for our Technical Analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel & WHM product going forward. However, we will still offer the ability to provide your password for server migrations, or in the event you cannot use SSH keys.

cPanel’s Internal Development Team has been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords you provide during the ticket submission process. We are testing this solution right now, and hope to have it fully implemented in the next few days.

cPanel, Inc. understands your concerns expressed over the last few days, and we very much appreciate the cooperation and patience you have provided us during this time as we work through all of this.

Thank you.

Posted in Security

Important: cPanel & WHM 11.36, 11.34, and 11.32 Security Releases

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

The following versions of cPanel & WHM address all know vulnerabilities:

  • 11.36.0.10
  • 11.34.1.11
  • 11.32.6.2

The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Security Issue Information

The resolved security issues were identified by the cPanel security team and independent security researchers. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities at this time.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issues. These Targeted Security Releases address 3 vulnerabilities in cPanel & WHM 11.36 and 2 vulnerabilities in cPanel & WHM 11.34 and 11.32. Additional information is scheduled to be released February 27, 2013.

For information regarding our Versions and Release Process, please read the following document:
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/CpanelProductVersions.

Posted in News, Security | Tagged:

cPanel Security Team GNU Privacy Guard (GnuPG)

The cPanel Security Team uses a GNU Privacy Guard (GnuPG) key to secure communications. Mail sent to security@cpanel.net can be secured using our public key. GNuPG keys are also used to sign security advisories, and other public communications, issued by the cPanel Security Team.

We expect to change the key from time to time. Should we change the key, the previous keys will be revoked.

ABD94DDF: cPanel, Inc Security Team <security@cpanel.net>
This key is used for communicating securely with the cPanel Security Team. It is also used for signing cPanel security advisories.

Download: http://go.cpanel.net/gnupgkeys

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFErfnUBEADX2MY2lYaEgy6cuja6Ued861o3oSwWaAYx4YASNvIepahC9JI8
3+rhK95LkB4yTY6a9Qy7+O0JQCyLR0/u6xOV8bJEtfzYLDQeXbq62nZlW9w9ObFo
xQEG6flLxvppl5bvTm315OQ+O4EM3K2vSF27QHPFKLaZLEGWmMQVyz1/18gvVGWQ
wRHCRxPbp+72fNk+gRd1yIXoOJrt66uw8lzPD4gy2okcxTK/i7RIAOYhCauBKkFc
aRIZbVvlGHjFKicHTzv0EPyhs3l7swVmKgQDHX0FCW7Q+pOxTijh5Gc/G1tSltws
qhdvpRGvkwCbLdwA72SyrWIjWBF0J2cr2lUvv0s7AwYo0XXJy3dHJjZjDW3Ia36X
LBpDHrA97W3Ekh7CY4YNZ/s42UvFRzqGHq/I3cx4QdKDJQ4ApgjVu9q514rNj2GO
vim7T/KHkbx+0JEy5dXQmmw7zWgqQjRNqPjBhi67dykLAmC9gPOEAtYzezxKNo0n
XvTrIE9nizZIBwLbBPDFLowLP3rW1+ClogATZqyGoWYv71eCzyWs1Jfnzbh8KgVa
vab41Y86QrWfxzkDYEBsbn+sX0QomGYvknz8RIpzXUBqOR6whC9vTyNqfqxkcCXg
MSb3oZ+nusfRMV7MR2EIQ7jNHq24BnuWwl0ZqY5wtZFzLbedgdQX5+2v3wARAQAB
tCpjUGFuZWwgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAY3BhbmVsLm5ldD6JAjgE
EwECACIFAlErfnUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJUhvtyr
2U3fux0QALB68hUly47ZzUOHP2NZNZ0Rb8PR41uxbFv1GX7KaJMEWMJf18N/gozY
gLMMoKYH9n8NeAiF92SyYXcou8LWrnf+kRU9mlvds+1tWlF+7W8XjjlVTlyIv/Gn
Tp8DkM1REcbyjLig1loytaDSUXvGFdMauGGdNGfJziI+Qip2oi61BZuJp27xfMkj
+O40igGjBoTFM9bhe5mVH1Dap5PNNGXanOzIZ6cEwBWGauNHZiE+ITk2V2VAsNie
veOftB4BXvA+JtWWoKZcX2smfQ1hW2ICUuxpAeZ3PXGBgjtCis7fraAWwYmhErRa
GUB7XCP+PEY4n/7qsYRjN1uyo2vHuAHav+i5L0C8FkU1DR1b8ylR1d8L9wWg4Jvb
dy1hvaCyjEyhHwQVmS2LyQTUMSJjiYQja6NCkEbSSp+bbujVa5wxibNYooc254ps
8TX5xqL2qapmb4u792DudQWQ6Hk9ivp0NKOV/OkNoPZfzRtyahyru6P3UnEsoSsz
e5zTVuS9ORJ4L4doBO3PgH+QV1g+aJvHOhVXPVdjbz96xUJSA3hhsP3cFIOeeSK9
se7PKOJlFj93RxMTPHEJPr7DWO8DB2YLnMJ5N+LCbSvW3NIzMdQGev26t5LScOho
yAJpbpN/3GR7CDJbMkrhyWVfhLgCaIX0+rj64WIsvq+g9S1PZ1xyuQINBFErfnUB
EAC995aAYSHy1rnIXIOL3EebCfkgrSr/TQYNl5z8sHDLFeBrUNilvFsTI42CYMuM
EV7Edvf8J4Kkz0ciH0pRt7/jhPot0Bc4aWvTBODSU6ucMMKHc69fpogF2uEUT0/U
/LchHVjxG0Rw/LXthdkgyKOf3ruQHxYYVJnYo7B8cx67mOVEj0NNgIcy5wW6z86N
EodzMZqX9lYuo+ZJ1ggP21xcM0WpWk84PjZ5TpQe38y+nvdAxbBMHsacsen4/Zxn
9F9WLMFJ4Tdn/oZsT1mwDATsssx5sECcIswKDS7sgVRzNSNrmJiOG0TlsgXfRaTW
UOUDayEbuLkeUR0p5AQFoulKpvDIJhc4t5ZHT2VomCQiiuKfkBnVFwTtDaz+qylz
kVwPddgCbHUu4470VIsHe6t7+IPoH4HLu84GcDjDhZk9iNx0IbW6EmA3SS6I/7Dr
JibapHGFLQ9biqRv2fodSo/cE3FMDvmxvkuaWDc9TvUB8jwgp/Nh5aRBU066Mk5Y
CsMQGtcLQzt69f89G0xwHsy7UagCp5rSdUKCRPG9pPE1tqrKidEB1cRYvB+PlB0l
kTXkCEZYiVNZVvDqmVDUv/CGD7zgUl7L8s/pnPdFUw2KlJPt7JhWvyoA0kmkSocK
UxTpatY8lFqh2BhtRlpwjxDWecrHATCk0VhwKDqG+Eer+wARAQABiQIfBBgBAgAJ
BQJRK351AhsMAAoJEJUhvtyr2U3fG6gQAISBs1acYimLDMxG+yRR2uah4Ziic+gB
AYpVFFpQn0/W1ZpRQG3k/6hV9GbiySHq4x3Kd9MrCYrJmHCM6BHzsuqUFKs2/caw
3kQbMDpEDDkdkujQ6eSK7bBvJgp0j1Vh6IlTpgN806iUt7Mm/fHKfhqsq/TkJE4N
ZK9pPu2piih26GsEHUwhX4qjbT8rYnpfHr467NrZaiStNxzy2U/MBecea2AjI/rH
n+1R+wN0uTT6Ljk2a176orOC3uK/DkD2cGetCAlCqUZV+no9D6Zy2yssxlzrI10v
hiPC6BM/I6AhFmTDswAksgkItSVCaaeKesAMA/IGEY/b/yR2JvSWf0aNJkIstEGq
YYJRxXnjDSO3MQXc3SnDJpt+gNi3+YMLTviH/KmngE/X9ZeIMEvCjcAwTwOsVUhA
9iT8ObfrkYWE+OWC7pv6G+7Ux+ivjV4kMcm6KC9mqGOpBK0PpF+eiR4oJvr15flk
WY8vdYNzHLS2bphOAzXiKVMT2RPuyAtRXggS0/vaaqXGfeXIvSpWrmRKHYgz8gkR
RW32kYY1wbtHWzvWz4Z0GY/dfaVZ9GZvuYNlFzFE3/hs2U/zjgGqDZxpkPyQl7uP
+qX6AVaAg0GZxIF7IfU7/Y7J/2CIEfXdwxbzbRg0HFuYAcLeahRgfLu7DoCQaqqj
DCJJtT+eMJRi
=TKBy
-----END PGP PUBLIC KEY BLOCK-----
Posted in key, Security | Tagged:

EasyApache 3.18 in 11.36

cPanel Inc., announces the release of EasyApache 3.18, our powerful and simple-to-use script that you can use to update and configure your Apache web server.

The most important feature of this new release is Apache 2.4, the latest version of the Apache web server. However, we have made a few important changes to Apache 2.4 to ensure as smooth an upgrade as possible for you, so it is important that you review the changes at: http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/Apache24Issues

The script wrappers for the Apache and PHP modules installed by EasyApache have been changed to handle the new Perl distribution.

Several important Apache modules have been upgraded and improved as part of this release, such as ModSecurity and ModHostinglimits.

And as part of our overall documentation improvement effort, we have moved EasyApache’s documentation to a new directory at http://docs.cpanel.net/twiki/bin/view/EasyApache/

For more details, please visit our EasyApache Release Notes at http://docs.cpanel.net/twiki/bin/view/EasyApache/

About cPanel Inc. Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone server into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces.

Posted in News | Tagged:

cPanel & WHM 11.36, CURRENT Tier Release

January 28, 2013
Houston, TX-

cPanel Inc., announces the release of cPanel & WHM 11.36 to the CURRENT tier.

Included in this brand new release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation allows a variety of checks to occur prior to changing the cPanel & WHM installation. This makes both new installation, and upgrades, more reliable.

cPanel & WHM 11.36 also brings an entirely new system for managing applications, based upon the tried-and-true RPM packaging format. By distributing applications via RPM we are able to reduce cPanel & WHM installation time by 30%, on average. The new system also provides integrators and system deployers a simplified means of distributing applications with cPanel & WHM.

We are happy to announce that cPanel & WHM 11.36 brings a modern version of Perl with it. Perl 5.14 is available with all versions of 11.36 and newer. This change brings an end to the older Perl 5.8.8 distributed with prior versions of cPanel & WHM.

This release also lays the groundwork for Apache 2.4, which will appear shortly with the release of EasyApache 3.18.

Other features are also available in version 11.36:

The Email Auto Discovery feature, first introduced in cPanel & WHM 11.34, has been updated with improved compatibility with existing setups.
It is now possible to display the number of files used by an account, in the cPanel Stats Bar.
The ability to track mail sent by web applications is improved through new functions to query the web server, and with X-PHP-Script functionality added to PHP.

cPanel thanks the members of our EDGE-Users community for their feedback and testing of the development releases. If you would like to join this community please GO HERE: http://cpanel.net/mailing-lists/.

For more details, please visit our Release Site: http://releases.cpanel.net
and our Documentation Notes: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1136ReleaseNotes

Please note, after upgrading to the new release, a downgrade to an older version will not be permitted.

About cPanel, Inc.
 Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web- based interfaces.

Posted in News, Release Announcements | Tagged: ,

End of Life for cPanel & WHM 11.30

This is the notification of the End of Life for cPanel & WHM 11.30

The 18-month lifetime of cPanel & WHM 11.30 ends now. The last release of cPanel & WHM 11.30, being 11.30.8.0, will remain on our mirrors indefinitely. You may continue using this last release, however no updates for version 11.30 will be released going forward. Older releases of cPanel & WHM 11.30 will be removed from our mirrors.

cPanel strongly recommends that you migrate any existing installs of cPanel & WHM 11.30 to a newer version (either 11.32 or 11.34).

If you have a server setup that complicates migrating to a newer version of cPanel & WHM, for example an out-of-date operating system, cPanel is here to help. Please open a support ticket via https://tickets.cpanel.net/submit/. Our professional support staff will help with recommendations, migration assistance and more.

For more detailed information regarding End of Life:
http://docs.cpanel.net/twiki/bin/vief/AllDocumentation/InstallationGuide/OperatingSystemEOL

To join in a discussion regarding this topic, please head over to our Forum and this thread:
http://forums.cpanel.net/f133/cpanel-whm-11-30-end-life-notification-319582.html

About cPanel, Inc.
 Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web – based interfaces.
###

Posted in News | Tagged: ,

cPanel Security Release 11.34.1.7

cPanel has published a new security release, 11.34.1.7, containing Rails and ProFTPd security fixes. We recommend that all affected customers on the CURRENT, RELEASE, and STABLE tiers update to 11.34.1.7 as soon as possible.

This release addresses two major vulnerabilities with Ruby on Rails (CVE-2012-5664 and CVE-2013-0156) which are resolved in Rails 2.3.15, and one with ProFTPd (CVE-2012-6095) which is resolved in ProFTPd 1.3.5rc1.

phpMyAdmin has also been upgraded from 3.5.3 to 3.5.5.

Please note that, for the Rails update, this release provides the new version but does not remove any previous versions. It is therefore of great importance for any customers using software that currently depends on Rails 2.3.14 to ensure that it uses 2.3.15 moving forward in order to avoid remaining vulnerable.

You may check which version(s) of the Rails and Action Pack gems you have installed using the gem list command.

Example:

# gem list | grep -e actionpack -e rails
actionpack (2.3.15)
rails (2.3.15)

Posted in News, Release Announcements, Security | Tagged: ,
Page 10 of 30« First...89101112...2030...Last »