EasyApache 3.18 in 11.36

cPanel Inc., announces the release of EasyApache 3.18, our powerful and simple-to-use script that you can use to update and configure your Apache web server.

The most important feature of this new release is Apache 2.4, the latest version of the Apache web server. However, we have made a few important changes to Apache 2.4 to ensure as smooth an upgrade as possible for you, so it is important that you review the changes at: http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/Apache24Issues

The script wrappers for the Apache and PHP modules installed by EasyApache have been changed to handle the new Perl distribution.

Several important Apache modules have been upgraded and improved as part of this release, such as ModSecurity and ModHostinglimits.

And as part of our overall documentation improvement effort, we have moved EasyApache’s documentation to a new directory at http://docs.cpanel.net/twiki/bin/view/EasyApache/

For more details, please visit our EasyApache Release Notes at http://docs.cpanel.net/twiki/bin/view/EasyApache/

About cPanel Inc. Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone server into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces.

Posted in News | Tagged:

cPanel & WHM 11.36, CURRENT Tier Release

January 28, 2013
Houston, TX-

cPanel Inc., announces the release of cPanel & WHM 11.36 to the CURRENT tier.

Included in this brand new release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation allows a variety of checks to occur prior to changing the cPanel & WHM installation. This makes both new installation, and upgrades, more reliable.

cPanel & WHM 11.36 also brings an entirely new system for managing applications, based upon the tried-and-true RPM packaging format. By distributing applications via RPM we are able to reduce cPanel & WHM installation time by 30%, on average. The new system also provides integrators and system deployers a simplified means of distributing applications with cPanel & WHM.

We are happy to announce that cPanel & WHM 11.36 brings a modern version of Perl with it. Perl 5.14 is available with all versions of 11.36 and newer. This change brings an end to the older Perl 5.8.8 distributed with prior versions of cPanel & WHM.

This release also lays the groundwork for Apache 2.4, which will appear shortly with the release of EasyApache 3.18.

Other features are also available in version 11.36:

The Email Auto Discovery feature, first introduced in cPanel & WHM 11.34, has been updated with improved compatibility with existing setups.
It is now possible to display the number of files used by an account, in the cPanel Stats Bar.
The ability to track mail sent by web applications is improved through new functions to query the web server, and with X-PHP-Script functionality added to PHP.

cPanel thanks the members of our EDGE-Users community for their feedback and testing of the development releases. If you would like to join this community please GO HERE: http://cpanel.net/mailing-lists/.

For more details, please visit our Release Site: http://releases.cpanel.net
and our Documentation Notes: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1136ReleaseNotes

Please note, after upgrading to the new release, a downgrade to an older version will not be permitted.

About cPanel, Inc.
 Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web- based interfaces.

Posted in News, Release Announcements | Tagged: ,

End of Life for cPanel & WHM 11.30

This is the notification of the End of Life for cPanel & WHM 11.30

The 18-month lifetime of cPanel & WHM 11.30 ends now. The last release of cPanel & WHM 11.30, being 11.30.8.0, will remain on our mirrors indefinitely. You may continue using this last release, however no updates for version 11.30 will be released going forward. Older releases of cPanel & WHM 11.30 will be removed from our mirrors.

cPanel strongly recommends that you migrate any existing installs of cPanel & WHM 11.30 to a newer version (either 11.32 or 11.34).

If you have a server setup that complicates migrating to a newer version of cPanel & WHM, for example an out-of-date operating system, cPanel is here to help. Please open a support ticket via https://tickets.cpanel.net/submit/. Our professional support staff will help with recommendations, migration assistance and more.

For more detailed information regarding End of Life:
http://docs.cpanel.net/twiki/bin/vief/AllDocumentation/InstallationGuide/OperatingSystemEOL

To join in a discussion regarding this topic, please head over to our Forum and this thread:
http://forums.cpanel.net/f133/cpanel-whm-11-30-end-life-notification-319582.html

About cPanel, Inc.
 Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web – based interfaces.
###

Posted in News | Tagged: ,

cPanel Security Release 11.34.1.7

cPanel has published a new security release, 11.34.1.7, containing Rails and ProFTPd security fixes. We recommend that all affected customers on the CURRENT, RELEASE, and STABLE tiers update to 11.34.1.7 as soon as possible.

This release addresses two major vulnerabilities with Ruby on Rails (CVE-2012-5664 and CVE-2013-0156) which are resolved in Rails 2.3.15, and one with ProFTPd (CVE-2012-6095) which is resolved in ProFTPd 1.3.5rc1.

phpMyAdmin has also been upgraded from 3.5.3 to 3.5.5.

Please note that, for the Rails update, this release provides the new version but does not remove any previous versions. It is therefore of great importance for any customers using software that currently depends on Rails 2.3.14 to ensure that it uses 2.3.15 moving forward in order to avoid remaining vulnerable.

You may check which version(s) of the Rails and Action Pack gems you have installed using the gem list command.

Example:

# gem list | grep -e actionpack -e rails
actionpack (2.3.15)
rails (2.3.15)

Posted in News, Release Announcements, Security | Tagged: ,

IPv6 Implementation Update

State of IPv6 in cPanel & WHM
IPv4 IP allocation depletion is somewhat analogous to Y2K. The solution is essentially the same, except instead of going from 2 to 4 decimal digits in a year, we’re going from 32 to 128 binary digits in IP addresses while still supporting the old system. cPanel & WHM will continue to support IPv4 for the foreseeable future by means of a “dual-stack implementation” which includes support for IPv6 addresses while still accommodating IPv4 addresses.

Much like Y2K, this issue requires a proactive solution rather than a reactive response. That is why cPanel has been working diligently on research and analysis to incorporate IPv6 support into our products. In 2013 we will begin to deliver features that support IPv6.

As some of you may already know, IPv6 is much more than just a change in the addressing scheme. However, given the urgency of supporting IPv6 addressing, we will first focus on allowing you to manage manually assigned IPv6 addresses at least as well as you can currently manage IPv4 addresses in cPanel & WHM. We also look forward to supporting IPv6 addresses on NSD, MyDNS and BIND (for DNS functionality), Apache (for website functionality), cPanel & WHM and its related services, and the various mail services we support. Additional services will be made IPv6-capable as deemed fit. The level of support cPanel will provide for IPv6 will provide functionality needed for serving web content.

BUT WAIT, THERE’S MORE!
Unlike Y2K, this is not simply a matter of fixing software. While your workstation likely supports IPv6 and cPanel-powered hosting providers will have software that supports IPv6, everything between your computer and the server running cPanel & WHM needs to support IPv6 as well. This means that your Internet provider, your cPanel & WHM server’s data center, and all the servers and routers in between must support IPv6. Otherwise, for you, IPv6 essentially does not exist.

To see if your Internet connection currently has an IPv6 address, visit: Test your IPv6 Connectivity.

Data centers around the world hope to explore and resolve IPv6 compatibility issues among their networks as part of World IPv6 Day. The Internet Society coordinates this event and you can learn more about it at: World IPv6 Day Information.

In the meantime, if you run a data center, you may find it beneficial to check your firewalls and other network infrastructure to ensure that they are as robust with IPv6 as they are with IPv4. There have been several industry reports of network hardware malfunctions with IPv6, such as firewalls improperly filtering IPv6 traffic. Please take the time to ensure that your network infrastructure can reliably support IPv6-capable versions of cPanel & WHM.

Lastly, you can join cPanel community members for IPv6-related discussions here: cPanel & WHM IPv6 Discussion.

Posted in News | Tagged:

ModSecurity Changes

cPanel recently released EasyApache 3.16. This version of EasyApache contains an updated version of ModSecurity that has an important change to Rule IDs which will affect you.

In addition to the RuleID change, another change in ModSecurity that affects directive names will be incorporated into EasyApache 3.18.

Unique Rule IDs are mandatory

Unique Rule IDs are mandatory. When EasyApache runs, it tries to automatically assign unique Rule IDs to any existing rules that do not already have Rule IDs. However, you will need to manually check your ruleset to confirm that there are no Rule ID conflicts or syntactical errors.

Also, if you automatically download and import rulesets into your ModSecurity on a schedule, EasyApache will not check these rules for Rule ID conflicts or syntactical errors. If the third-party ruleset contains Rule ID conflicts or syntactical errors, ModSecurity will fail and Apache will not start.

The following is an example of a rule that does not contain a Rule ID:

 SecRule  REMOTE_ADDR  "^127.0.0.1$"  "nolog,allow"
SecAction  "phase:2,pass,nolog"

You will see an error similar to the following:

 1. Critical Error: No Rule ID

  Syntax error on line XX of /some/config/file.conf:
  ModSecurity: No action id present within the rule

The following is the same rule that has been changed to include a unique Rule ID:

 SecRule  REMOTE_ADDR  "^127.0.0.1$"  "nolog,allow,id:1234123455"
SecAction  "phase:2,pass,nolog,id:1234123456"

However, if the Rule ID duplicates another Rule ID, you will see:

 2. Critical Error: Duplicate Rule ID:

  Syntax error on line XX of /some/config/file.conf:
  ModSecurity: Found another rule with the same id

Configuration directive changes

Six configuration directives have been changed to use the word “Hash” instead of “Encryption” and they are not backwards-compatible.

EasyApache will try to convert all references within your existing ruleset from “Hash” into “Encryption.” However, if you automatically download and import rulesets into your ModSecurity on a schedule, EasyApache will not check these rules for the deprecated term “Encryption.” ModSecurity does not support the deprecated term “Encryption” and it will fail, which will make Apache fail to start.

The following is an example of a rule that used the deprecated term “Encryption”

# Validates requested URI that matches a regular expression.
SecRule REQUEST_URI "@validateEncryption product_info|product_list" "phase:1,deny,id:123456"

You will see an error similar to the following

Syntax error on line XX of /usr/local/apache/conf/modsec2.conf:
Invalid command '@validateEncryption', perhaps misspelled or defined by a module not included in the server configuration

The following is an example of the example rule that has been changed to use the new term “Hash”

# Validates requested URI that matches a regular expression.
SecRule REQUEST_URI "@validateHash product_info|product_list" "phase:1,deny,id:123456"

——-

These two changes are important because if you have any rules which ModSecurity cannot process, ModSecurity will fail and Apache will not start. This is a change from ModSecurity’s previous behavior, which was to fail with a warning, but allow Apache to start successfully.

For more information, read the ModSecurity Page.

Posted in News, Security | Tagged: , ,

Prepare Your Perl Scripts for 11.36

In 11.36, cPanel will ship with a distribution of Perl 5.14.3. This version of Perl will be located inside the /usr/local/cpanel tree to avoid problems with the RPMs provided by the distro. While the installer will still require basic Perl, cPanel will no longer need /usr/bin/perl in order to function. System administrators will have the option to have the cPanel installer remove /usr/bin/perl all together. The cPanel code and /usr/bin/perl will have minimal interaction.

Warning: If the distro’s core Perl does not provide the modules, then you may need to change your shebang at the top of your scripts. This pertains especially to new installs. You will need to change your shebang if:

  • Your scripts need to work on all versions of cPanel (including 11.36).
  • Your maintenance scripts tie into the cPanel code.
  • You want to use Perl 5.14.

Based on specific needs, we recommend the following two options to change #!/usr/bin/perl at the beginning of your script:

Option 1: If the script needs to function in all versions of cPanel (including versions where Perl 5.14 wasn’t provided), we recommend the following:


#!/bin/sh
eval 'if [ -x /usr/local/cpanel/3rdparty/bin/perl ]; then exec /usr/local/cpanel/3rdparty/bin/perl -x -- $0 ${1+"$@"}; else exec /usr/bin/perl -x $0 ${1+"$@"}; fi;'
if 0;

#!/usr/bin/perl

Option 2: If the script needs to function only in 11.36 and later versions, you can simply change all of your scripts to point to the new version of Perl:


#!/usr/local/cpanel/3rdparty/bin/perl

Note: While /usr/local/cpanel/3rdparty/bin/perl is a symlink, we do not recommend that you use the binary that the symlink points to. This binary could be removed when a new version of Perl is issued.

Want to make sure you receive email updates with important information so you are always in the know? Join our mailing list here:http://cpanel.net/mailing-lists/

Posted in News

cPanel and Attracta Relationship Redefined

For Immediate Release
December 10, 2012

Houston, TX-
cPanel officially announces that its partnership with Attracta has been redefined. The relationship between the two companies has now shifted from Attracta being bundled with cPanel to Attracta being included as part of cPanel’s third party application catalog.

Integrating Attracta as part of the cPanel distribution identified the difference between development cycles and processes between the two companies. Due to these differences in development, and both companies wanting to focus primarily on delivering new features and value to customers, Attracta will be distributing the Attracta SEO and Marketing Tools for cPanel & WHM as a standalone plugin rather than bundled with cPanel.

cPanel’s extensive plugin API allows Attracta to maintain all functionality going forward, while the separate distributions allow both companies to focus on adding more features and value without the overhead of a shared development process.

Asked for comment, Aaron Phillips, Vice President of Operations at cPanel stated: “We view this relationship as a positive learning experience for both cPanel and Attracta and we plan to maintain ongoing discussions that will continue our focus on the evolution of our API, and improvements for 3rd party integrators to make good use of”.

Many hosting companies include Attracta in their service offerings right now. For those that do not, but wish to have it, they can still get the plugin directly from Attracta’s website and seamlessly integrate it into cPanel.

“We’re ensuring a smooth transition for customers back to a standalone plugin and we’ve learned a lot about cPanel’s products during the course of the integrated relationship,” said Dave Koston, CTO at Attracta. “Both companies have gained knowledge from the integration that will allow us to deliver higher quality products going forward so we believe this will be a win for all our customers.”

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web – based interfaces.

About Attracta Online Services, Inc.

Attracta is a California-based company that provides search engine visibility service in more than 90 countries worldwide. With the world’s most popular Search Engine Optimization (SEO) tools, Attracta helps over 2.5 million websites promote over 3 billion webpages in the world’s major search engines. Each day, Google alone updates over 75 million webpages through Attracta’s XML Sitemap service. Many of the world’s largest web hosting and SEO service providers incorporate Attracta’s technology into their service offerings. The Attracta management team also founded several highly successful Internet companies including TABNet, MeetChina.com, Miva Merchant and ScanAlert. For more information, call +1.707.320.2050 or visit attracta.com.

###

Posted in News, Press Releases

IMPORTANT: 11.30, 11.32, & 11.34 cPanel & WHM Updates Available

Important: New Information about cPanel & WHM 11.30, 11.32, and 11.34 Updates Now Available

Summary:

cPanel & WHM 11.30.7.4; 11.32.5.15; 11.34.0.11, which fixes multiple security issues, is now available for download.

cPanel has rated these updates as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

Description:

The Perl Storable module provides support for serialization and deserialization of Perl data structures. In cPanel & WHM this functionality is used for caching data to disk and transferring data between processes. In many areas this caching and interprocess communication crosses privilege separation boundaries. A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation.

The Perl YAML::Syck module provides similar functionality as the Storable module. The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

The version of Locale::Maketext used in previous releases of cPanel & WHM suffered from two flaws in the _compile() function which allowed authenticated users to execute arbitrary code by supplying specially crafted translatable phrases.

cPanel & WHM relies on the Crypt::Passwd::XS Perl module to perform password hashing. This module suffers from the same vulnerability disclosed in CVE-2012-2143 where passwords with the 0×80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.

The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized user input to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

These issues were discovered by various members of the Development and Quality Assurance teams at cPanel.

Solution:

We recommend updating your cPanel & WHM system as follows;

Update cPanel & WHM 11.30 to 11.30.7.3 or newer.
Update cPanel & WHM 11.32 to 11.32.5.14 or newer.
Update cPanel & WHM 11.34 to 11.34.0.10 or newer.

To check which version of cPanel you have, go to http://docs.cpanel.net/twiki/bin/view/AllDocumentation/MyVersion

A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

References:

Case 59926 Multiple privilege escalation vulnerabilities due to the use of Storable for serialization http://cpanel.net/case-59926/
Case 60203 Password hashes truncated by 0×80 characters
http://cpanel.net/case-60203/
Case 60970 Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization
http://cpanel.net/case-60970/
Case 61251 Arbitrary code execution via translatable phrases due to the use of Locale::Maketext
http://cpanel.net/case-61251/
Case 62230 Shell code injection via translatable phrases in Cpanel::Locale http://cpanel.net/case-62230/

Posted in News, Security | Tagged:

Case 62230

Case 62230

Summary

Shell code injection via translatable phrases in Cpanel::Locale

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Cpanel::Locale module wraps around Perl’s Locale::Maketext module and extends it to provide additional Maketext tags and functionality. Locale::Maketext is used to render translatable phrases into a user’s chosen locale. cPanel & WHM uses this module to display all translatable phrases in the cPanel, WHM and Webmail interfaces.

The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized userinput to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Posted in News, Security | Tagged:
Page 10 of 30« First...89101112...2030...Last »