Update for cPanel & WHM Versions 11.38, 11.36, 11.34, & 11.32

cPanel, Inc. has published a security update for cPanel & WHM versions 11.38, 11.36, 11.34, and 11.32. This update resolves an issue with unchecked reseller privileges. We recommend all customers update to the latest build of each version as soon as possible.

The cPanel Security Team has assigned a rating of Moderate to the vulnerability. Information on security ratings is available at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecurityLevels.

Using a handcrafted URL, a malicious reseller could cause WHM to overwrite files in root’s .ssh directory with a randomly generated private key. This could result in a denial of service attack if the key is being used.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

The following versions of cPanel & WHM address all known vulnerabilities:

* 11.38.0.5
* 11.36.1.6
* 11.34.1.14
* 11.32.6.5

The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Acknowledgements

cPanel, Inc. would like to thank the source who reported the vulnerability.

For the PGP Signed Message, please go here.

Posted in Security | Tagged:

11.38 Now in CURRENT Tier

5/7/2013
Houston, TX-

cPanel, Inc. announces the release of cPanel & WHM software version 11.38.

cPanel & WHM software release 11.38, which releases to the CURRENT tier today, offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more.

Improved SSL Management

The improved SSL management system offers a number of enhancements; support for UCC certificates, SNI (Server Name Indication), and enhanced support for Wildcard SSL certificates. This allows cPanel users to host multiple SSL websites on the same account. cPanel & WHM users will notice changes to the user interfaces that simplify installing, managing the various SSL certificates, keys, and signing requests associated with their domains.

System and Account Backups

cPanel introduces a new backup system with software release 11.38. Among the changes are the ability to store backups in multiple locations, reduction in the time needed to perform a full backup, and a complete set of functionality for automating backups.

Backup restoration is also enhanced. A new queuing system allows system administrators to perform other operations within cPanel & WHM while restorations occur.

Other notable changes include:

* Ability to configure the host used by email autodiscovery, and auto configuration
* Improved email tracking ability by ensuring the From header matches the mail sender
* Use of a single template system for customizing the Apache configuration
* Changes to jail shell, mod_ruid2, and more

Detailed information on all 11.38 features can be found at http://docs.cpanel.net.  For an overview of the latest features available in 11.38, visit http://releases.cpanel.net.

Posted in News, Release Announcements | Tagged: , ,

11.34 EOL, 6 Month Notice

cPanel & WHM 11.34 reaches End Of Life October 15, 2013. That means there are only 6 months left in the life cycle.

In accordance with our End of Life Policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport], cPanel & WHM software release 11.34 will continue functioning on servers after reaching end of life. No further updates, including security fixes, or installations will be provided for 11.34 after the end of life date.

All customers currently using cPanel & WHM software release 11.34 are advised to begin planning the upgrade to cPanel & WHM software release 11.36 (EOL Date: March 2014). If you desire assistance with your migration plans, please contact our technical support team at https://tickets.cpanel.net/submit/. Our professional staff will help with recommendations, migration assistance and more.

A PGP Signed Version is also available

Posted in News | Tagged: ,

11.36 Pushed to STABLE

April 8, 2013
Houston, TX-

cPanel Inc., announces the release of cPanel & WHM software version 11.36 to the STABLE tier.

Included in this brand new software release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation allows a variety of checks to occur prior to changing the cPanel & WHM installation. This makes both new installations, and upgrades, more reliable.

cPanel & WHM software version 11.36 also brings an entirely new system for managing applications, based upon the tried-and-true RPM packaging format. By distributing applications via RPM, we are able to reduce cPanel & WHM installation time by 30%, on average. The new system also provides integrators and system deployers a simplified means of distributing applications with cPanel & WHM software.

We are happy to announce that cPanel & WHM 11.36 brings a modern version of Perl with it. Perl 5.14 is available with all versions of 11.36 and newer. This change brings an end to the older Perl 5.8.8 distributed with prior versions of cPanel & WHM software.

Included in cPanel & WHM 11.36 is support for Apache 2.4, provided via EasyApache. Apache 2.4 brings many new features and performance benefits to your hosting platform.

Other features also available in version 11.36:

-The email auto discovery support for Thunderbird and Outlook has been updated and re-introducted with improved compatibility with existing setups.

-The ability to track mail sent by web applications is improved through new functions that integrate with Apache and PHP.

cPanel thanks the members of our EDGE-Users community for their feedback and testing of the development releases. If you would like to join this community please GO HERE: http://go.cpanel.net/cpmailinglist.

Please note, after upgrading to the new release, a downgrade to an older version will not be permitted.

About cPanel, Inc.


Since 1997, cPanel, Inc. has become the world’s leading provider of dependable hosting and server automation solutions. cPanel builds software that transforms standalone servers into fully automated point-and-click web hosting platforms. cPanel & WHM licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious tasks with dynamic, intuitive web-based interfaces. www.cpanel.net
.

Posted in News, Press Releases, Release Announcements | Tagged: ,

cPanel & WHM Security Releases for 11.32, 11.34, and 11.36

cPanel has published security updates for all supported versions of cPanel & WHM. These updates contain fixes for a problem with the Roundcube webmail application. We recommend all customers update to the latest build of each version as soon as possible.

The cPanel Security Team has assigned a rating of Important to the vulnerability. Information on security ratings is available at http://go.cpanel.net/securitylevels. A locally authenticated user could take advantage of the flaw to gain access to sensitive information belonging to other accounts on the system. This problem was reported to us in case 64407.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

The following versions of cPanel & WHM address all known vulnerabilities:

* 11.36.0.20
* 11.34.1.13
* 11.32.6.4

The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Click Here to view the PGP Signed Message.

Posted in key, News, Security | Tagged: , , , ,

cPanel to Attend GoDaddy TechFest

cPanel is heading to GoDaddy TechFest on May 9th. A valued partner of cPanel, GoDaddy is an industry leader that we’re thrilled to work with.

GoDaddy TechFest incorporates activities, guest speakers, and a chance to ask the over 750 GoDaddy employees numerous in-depth questions. This will be cPanel’s 2nd year to attend, and members of our technical staff will be headed to the event to take advantage of the hands on opportunity TechFest provides.

Posted in Events

11.32 Impending EOL

cPanel & WHM 11.32 reaches End Of Life August 20, 2013. That means there are only 5 months left in the life cycle.

In accordance with our End of Life Policy cPanel & WHM 11.32 will continue functioning on servers after reaching End Of Life. No further updates, including security fixes, or installations will be provided for 11.32 after the End Of Life date.

cPanel & WHM 11.32 is the last version to support the following:

  • CentOS 4
  • RHEL 4
  • MySQL 4.0
  • MySQL 4.1

All customers currently using cPanel & WHM 11.32 are advised to begin planning the upgrade to cPanel & WHM 11.36 (EOL Date: March 2014). If you desire assistance with your migration plans, please contact our technical support team at https://tickets.cpanel.net/submit/. Our professional staff will help with recommendations, migration assistance and more.

GPG signed version is available

Posted in News

11.36 Pushed to RELEASE Tier

March 11, 2013
Houston, TX-

cPanel Inc., announces the release of cPanel & WHM 11.36 to the RELEASE tier.

Included in this brand new release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation allows a variety of checks to occur prior to changing the cPanel & WHM installation. This makes both new installation, and upgrades, more reliable.

cPanel & WHM 11.36 also brings an entirely new system for managing applications, based upon the tried-and-true RPM packaging format. By distributing applications via RPM we are able to reduce cPanel & WHM installation time by 30%, on average. The new system also provides integrators and system deployers a simplified means of distributing applications with cPanel & WHM.

We are happy to announce that cPanel & WHM 11.36 brings a modern version of perl with it. Perl 5.14 is available with all versions of 11.36 and newer. This change brings an end to the older perl 5.8.8 distributed with prior versions of cPanel & WHM.

Also in cPanel & WHM 11.36 is support for Apache 2.4, provided via EasyApache. Apache 2.4 brings many new features and performance benefits to your web hosting platform.

Other features are also available in version 11.36:

The email auto discovery feature, first introduced in cPanel & WHM 11.34, has been updated with improved compatibility with existing setups.
It is now possible to display the number of files used by an account, in the cPanel Stats Bar.
The ability to track mail sent by web applications is improved through new functions to query the web server, and with X-PHP-Script functionality added to PHP.

cPanel thanks the members of our EDGE-Users community for their feedback and testing of the development releases. If you would like to join this community please GO HERE: http://go.cpanel.net/cpmailinglist

Please note, after upgrading to the new release, a downgrade to an older version will not be permitted.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated point-and-click web hosting platforms. cPanel licensed software allows owners of servers and websites, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web- based interfaces.

Posted in News, Press Releases, Release Announcements | Tagged: ,

2013-02-26 cPanel & WHM Security Advisory for 11.32, 11.34, and 11.36

The following disclosure covers the Targeted Security Release
2013-02-26. Each vulnerability is assigned an internal case number which
is reflected below.

Information regarding cPanel’s Security Level rankings can be found
here:

http://go.cpanel.net/securitylevels

Case 63700

Summary

File disclosure and code execution using API 2 call

Security Rating

cPanel has assigned a Security Level of “Important” to this
vulnerability.

Description

cPanel & WHM provide an API 2 call that allows branding code to include files
that are on the system. This function can also be called remotely. The
function did not check that the files requested were within the appropriate
document root, so arbitrary files could be read. Additionally, there
was the possibility to leverage this with another, third-party
vulnerability to execute arbitrary code.

cPanel would like to thank J.D. Lightsey of cPanel for discovering and
reporting this issue.

Solution

This issue is resolved in the following builds:

11.36.0.10 and greater
11.34.1.11 and greater
11.32.6.2 and greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 63624

Summary

Cross-site scripting attack in countedit.cgi

Security Rating

cPanel has assigned a Security Level of “Trivial” to this vulnerability.

Description

cPanel & WHM provides a script to edit website counters. Due to
insufficient input validation, a cross-site scripting attack was
possible. This could result in the counter information not being
correctly updated.

cPanel would like to thank Douglas Secco dos Santos of Andrade Soto
Information Security for discovering and reporting this issue.

Solution

This issue is resolved in the following builds:

11.36.0.10 and greater
11.34.1.11 and greater
11.32.6.2 and greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 63678

Summary

Unsafe temporary file in update blocker leading to symlink attack

Security Rating

cPanel has assigned a Security Level of “Important” to this
vulnerability.

Description

cPanel & WHM version 11.36 verifies that all disks are writable when
performing an upgrade. However, when testing this by writing files to
the system temporary directory, files were created with predictable names,
which could be exploited with a symlink attack to overwrite any file on
the system with predictable data. This issue affected only 11.36
systems.

cPanel would like to thank Jeff Petersen of cPanel for discovering and
reporting this issue.

Solution

This issue is resolved in the following builds:

11.36.0.10 and greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Posted in key, Security | Tagged: , ,

cPanel, Inc. Announces Additional Internal Security Enhancements

This is a follow up on the status of the security compromise that cPanel, Inc. experienced on Thursday, February 21, 2013.

As mentioned in our email sent to cPanel Server Administrators who’ve opened a ticket with us in the past 6 months, on February 21 we discovered that one of the proxy servers we utilize in the technical support department had been compromised. The cPanel Security Team’s investigation into this matter is ongoing.

We’d like to relay additional details about the intrusion that we have gathered with you, and we want to explain what preventative measures we’re putting into place that will introduce additional layers of security to our new and existing systems. How the server was accessed and compromised is not clear, but we know a few key facts that we’re sharing.

Here’s what we know:

The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of our Technical Analysts. It’s intent was to provide a layer of security between local & remote workstations, as well as customer servers.
This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of our Technical Analysts.
Only a small group of our Technical Analysts used this particular machine for logins, which means that fortunately only some customers who opened a ticket in the past 6-months would be affected by this compromise.
There is no evidence that any sensitive customer data was exposed, and there is no evidence that the actual database was compromised.

Here’s what we’re doing about it:

Documentation is now provided at:http://go.cpanel.net/checkyourserver which we encourage system administrators to use to determine the status of their machine.

We have restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. We have also been working on implementing multiple changes to our internal support systems and procedures as outlined for your information below.

Our system will now generate and provide you with a unique SSH key for each new support ticket submitted.
We are providing tools to authorize and de-authorize SSH keys, along with instructions on how to use them whenever you submit a ticket.

Our system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while our staff is logged into your server.
Additional enhancements are also planned behind the scene that should be transparent to our customers.
With these new layers of security in place, it is now possible for our Technical Analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel & WHM product going forward. However, we will still offer the ability to provide your password for server migrations, or in the event you cannot use SSH keys.

cPanel’s Internal Development Team has been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords you provide during the ticket submission process. We are testing this solution right now, and hope to have it fully implemented in the next few days.

cPanel, Inc. understands your concerns expressed over the last few days, and we very much appreciate the cooperation and patience you have provided us during this time as we work through all of this.

Thank you.

Posted in Security
Page 10 of 31« First...89101112...2030...Last »