EasyApache 3.20 Now Available, Including Tomcat 7

July 9, 2013
Houston, TX-

cPanel, Inc announces the release of EasyApache 3.20

The 3.20 release of EasyApache brings a number of improvements to the cPanel & WHM hosting platform. Notable among these is Tomcat 7, the modern means of providing Java web applications.

Tomcat 7 provides a Tomcat Administrator with a myriad of benefits for deploying web applications and managing Java development projects including:

Automatic Servlet Configuration After a cPanel&WHM Version Upgrade and Server Transfer
Automatic Tomcat Log Rotation
JSP, WAR File, and Servlet Test Pages for Testing and Troubleshooting
Tomcat Restarts Automatically with Apache if Enabled
EasyApache 3.20 Utilizes Tomcat 7.0.41

Tomcat 7 is the first part of the EasyApache application to be released as pre-built RPMs. Users will experience quicker installations and updates of Tomcat due to this change. Upgrades from the older Tomcat 5.5 should be seamless.

The team behind EasyApache are excited about the many changes brought in version 3.20. The team is also proud to announce, “We are pleased that no Tomcatz were harmed in the production of EasyApache 3.20.”

Tomcat 7 has a minimum requirement of cPanel & WHM version 11.38.0.8, as well as Apache 2.2 or later.

More information about the changes in EasyApache 3.20, and Tomcat 7, is available in our EasyApache documentation .

To share your Tomcat 7 experience with others, please feel free to join in the discussion at http://features.cpanel.net/responses/tomcat-7-support-in-easyapache

Posted in News, Press Releases, Software Updates | Tagged: , ,

cPanel Security Disclosure: TSR-2013-0007

Important: cPanel Security Disclosure TSR-2013-0007

The following disclosure covers the Targeted Security Release 2013-06-26.
Each vulnerability is assigned an internal case number which is reflected below.

Information regarding the cPanel Security Level rankings can be found here:http://go.cpanel.net/securitylevels

Case 71193

Summary

Local cPanel users are able to take over ownership of any file or directory on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. During the preparatory steps for archiving, Cpanel::Logs::prep_logs_path performs a variety of checks to ensure a proper operating environment exists. A number of these checks are performed by a root-privileged process on files and directories in a user’s home directory. A malicious user could take advantage of this behavior to take ownership of important files on the same file system as his home directory.

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 71109

Summary

Local cPanel users are able to take over ownership of any file or directory on the system.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. When cpanellogd creates these archives, some operations are performed by a root-privileged process in the user’s home directory. Through the use of a carefully crafted hard link a malicious user could take advantage of this behavior to take ownership of any file on the same file system as his home directory.

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

For the PGP Signed Message, Please go here.

Posted in News, Security | Tagged: , ,

cPanel Conference ’13 Announced

cPanel, Inc., recently announced that cPanel Conference ’13 will be held in New Orleans, LA, September 30th – October 2nd, 2013.

Visit conference.cpanel.net to sign up for updates or to view the Conference Prospectus, which includes exhibitor and sponsorship opportunities.

You can also email any questions to conference@cpanel.net

Posted in Events

ResellerClub Hosting Summit Event

This October we’re sending representatives from cPanel to the ResellerClub Hosting Summit event in New Delhi, India. Those lucky few will get a chance to network with top technical companies from all over the world.

Posted in Events

11.39 Anticipated Push to the EDGE Tier

6/24/2013
Houston, TX-

Anticipated this week, June 24th, 2013, 11.39 will be pushed to the EDGE tier. This new build includes the following changes and updates to cPanel & WHM software:

-Added support for using cPanel & WHM in a 1:1 NAT environment
-Dovecot is upgraded to version 2.2 and it is now possible to enable auto-purging of deleted emails when using Dovecot
-Updated Logaholic to version 4.0.5
-Provides Razor2::Client::Agent with SpamAssassin
-Removed the ancient Java Telnet Application
-Added the ability to load custom CSS in WHM to allow simple customizations
-Added the homedir and homeroot data to the pre and post Whostmgr::Accounts::Create hooks
*MySQL 5.1, or higher, is required.

If you enjoy testing bleeding edge software, being involved in an energetic highly skilled community, and providing feedback, we invite you to join our beta testing group. Simply sign up for our edge users mailing list , configure a non-production cPanel & WHM server for the edge tier, and hold on to your electrons.

Posted in News, Software Updates | Tagged: , ,

11.38 Impending Push to STABLE

6/18/2013
Houston, TX-

cPanel, Inc. announces the impending release of cPanel & WHM software version 11.38.

cPanel & WHM software release 11.38, is anticipated to move to the STABLE tier the week of June 24, 2013. This release offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more.

Included in 11.38:

Improved SSL Management

The improved SSL management system offers a number of enhancements; support for UCC certificates, SNI (Server Name Indication), and enhanced support for Wildcard SSL certificates. This allows cPanel users to host multiple SSL websites on the same account. cPanel & WHM software users will notice changes to the user interfaces that simplify installing, managing the various SSL certificates, keys, and signing requests associated with their domains.

System and Account Backups

cPanel introduces a new backup system with software release 11.38. Among the changes are the ability to store backups in multiple locations, reduction in the time needed to perform a full backup, and a complete set of functionality for automating backups.

Backup restoration is also enhanced. A new queuing system allows system administrators to perform other operations within cPanel & WHM software while restorations occur.

Other notable changes include:

* Ability to configure the host used by email autodiscovery, and auto configuration
* Improved email tracking ability by ensuring the From header matches the mail sender
* Use of a single template system for customizing the Apache configuration
* Changes to jail shell, mod_ruid2, and more

Detailed information on all 11.38 features can be found at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1138ReleaseNotes.For an overview of the latest features available in 11.38, visit http://releases.cpanel.net/category/releases/11-38/.

Posted in News | Tagged: , , ,

TSR Update

The following disclosure covers the Targeted Security Release 2013-06-05. Each vulnerability is assigned an internal case number which is reflected below.

Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels

Case 68189

Summary

An arbitrary files read and unlink vulnerability in cPanel, WHM, and Webmail.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

When logged into the cPanel, WHM, or Webmail interfaces an attacker could supply crafted query parameters that appear to be file uploads with unusual paths. In some subsystems, these invalid file upload parameters allowed viewing or deleting the file at the target path.
This vulnerability was discovered by the cPanel Security Team.
Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68213

Summary

Self-XSS vulnerabilities in cPanel and WHM interfaces.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

Output filtering errors in the WHM Remote Nameserver interface and the cPanel FTP Management interface allowed JavaScript inputs to be returned to the browser without proper filtering.
cPanel includes a comprehensive protection mechanism against XSS and XSRF attacks called Security Tokens. Security Tokens protection is enabled by default in all installs of cPanel & WHM. When Security Tokens protection is enabled, an attacker intending to utilize this vulnerability must convince the victim to navigate their browser to the appropriate cPanel or WHM interface and manually input the JavaScript payload.
This vulnerability was discovered by Wong Chieh Yie (@wcypierrenet).

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68433

Summary

An XSS vulnerability in EntropyChat.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

EntropyChat is a web-based chat server available on cPanel & WHM systems. Output filtering errors in the EntropyChat server allowed one participant in a chat channel to send JavaScript payloads to other active participants in the chat channel.
This vulnerability was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68645

Summary

An SQL injection vulnerability in cpmysqladmin.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

Insufficient escaping of the user input parameter to multiple cpmysqladmin commands allowed a local attacker to execute arbitrary SQL commands with the MySQL access level of the root user.
This vulnerability was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68733

Summary

A WHM arbitrary file read via brandingimg.cgi.

Security Rating

cPanel has assigned a Security Level of Minor to this vulnerability.

Description

An authenticated WHM reseller with limited ACLs could read the contents of arbitrary files on the system by supplying crafted query parameters to brandingimg.cgi. The file read is performed with the effective UID and GID of the reseller. This vulnerability revealed sensitive data only when the reseller had extremely limited access to the local filesystem outside of the WHM interface.
This vulnerability was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Case 68965

Summary

Reseller ACL checks were missing from multiple WHM interfaces.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

When creating a reseller account in WHM, the system administrator may limit the WHM functionality that is available to the reseller using the WHM ACL system. Multiple interfaces in WHM were found to lack explicit enforcement of the appropriate reseller ACLs for the functionality they provided. This allowed resellers without appropriate ACLs to enter translated phrases, access disk usage information, view email delivery data, and check for the existence of MySQL users.
The missing ACL checks in the translation system were discovered by Rack911.
The remaining missing ACL checks were discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.38.0.15 and greater
11.36.1.8 and greater
11.34.1.18 and greater
11.32.6.7 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

For the PGP Signed Version, please go here.

Posted in Security | Tagged: , ,

11.38 to RELEASE Tier

6/10/2013
Houston, TX-

cPanel, Inc. announces the release of cPanel & WHM software version 11.38.

cPanel & WHM software release 11.38, which goes to the RELEASE tier today, offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more.

Improved SSL Management

The improved SSL management system offers a number of enhancements; support for UCC certificates, SNI (Server Name Indication), and enhanced support for Wildcard SSL certificates. This allows cPanel users to host multiple SSL websites on the same account. cPanel & WHM users will notice changes to the user interfaces that simplify installing, managing the various SSL certificates, keys, and signing requests associated with their domains.

System and Account Backups

cPanel introduces a new backup system with software release 11.38. Among the changes are the ability to store backups in multiple locations, reduction in the time needed to perform a full backup, and a complete set of functionality for automating backups.

Backup restoration is also enhanced. A new queuing system allows system administrators to perform other operations within cPanel & WHM while restorations occur.

Other notable changes include:

* Ability to configure the host used by email autodiscovery, and auto configuration
* Improved email tracking ability by ensuring the From header matches the mail sender
* Use of a single template system for customizing the Apache configuration
* Changes to jail shell, mod_ruid2, and more

Detailed information on all 11.38 features can be found at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1138ReleaseNotes.For an overview of the latest features available in 11.38, visit http://releases.cpanel.net/category/releases/11-38/.

Posted in News | Tagged: , ,

Important: 2013-06-05 Targeted Security Releases

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installs at your earliest convenience.

Releases

The following cPanel & WHM versions address all known vulnerabilities:

* 11.38.0.15
* 11.36.1.8
* 11.34.1.18
* 11.32.6.7

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

Security Issue Information

The resolved security issues were identified by the cPanel security team and independent security researchers. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 10 vulnerabilities in cPanel & WHM 11.38, 11.36, 11.34 and 11.32. Additional information is scheduled to be released June 10, 2013.

For information about our Versions and Release Process, read the following document: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/CpanelProductVersions

For the PGP Signed message, please go here.

Posted in Security | Tagged: , ,

IMPORTANT: cPanel Security Notice 2013-06-03

SUMMARY

The Apache mod_rewrite module fails to sanitize input, which may lead to arbitrary command execution in some circumstances.

SECURITY RATING

The cPanel Security Team has rated this update has having critical security impact.

Information on security ratings is available at: http://go.cpanel.net/securitylevels. You are strongly encouraged to run EasyApache and update your Apache installation at your earliest convenience.

DETAIL

From CVE-2013-1862: “It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user.”

AFFECTED VERSIONS

All versions of Apache 2.2 and 2.4.

SOLUTION

cPanel, Inc has released EasyApache 3.18.16 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea)

RELEASES

EasyApache v3.18.16 addresses all known vulnerabilities.

Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.

REFERENCES

* CVE-2013-1862 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862)
* CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)
* RHSA-2013:0815 (http://rhn.redhat.com/errata/RHSA-2013-0815.html)
* Apache Patch: http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch

For the PGP Signed message, please go here

Posted in Security | Tagged: ,
Page 10 of 32« First...89101112...2030...Last »