EasyApache 3.24.12 Released

SUMMARY
cPanel, Inc. has released EasyApache 3.24.12 with PHP versions 5.5.10 and 5.4.26. This release addresses PHP vulnerabilities CVE-2014-1943, CVE-2014-2270, and CVE-2013-7327 by fixing bugs in the Fileinfo and GD modules. We encourage all PHP users to upgrade to PHP versions 5.5.10 and 5.4.26.

Continue reading

Posted in News, Software Updates | Tagged: , , , ,

EasyApache End of Life Warning Messages

Since the release of EasyApache 3.24.11, you may have noticed a variation of the following warning message when starting EasyApache:

Your server is currently on cPanel & WHM version 11.36.2.12. This version of cPanel & WHM has reached End of Life.

cPanel & WHM version 11.36.2.12 will continue to receive updates to EasyApache for 90 days after February 10, 2014. To receive EasyApache updates after May 11, 2014, you must update the cPanel & WHM version on this server.

For more information on how to upgrade cPanel & WHM, visit upgrade cPanel and WHM version.

If you receive this warning message, then your server is running a version of cPanel & WHM that has reached End of Life (EOL)*. We will continue to provide EasyApache updates for EOL versions of cPanel & WHM until May 11, 2014. However, we strongly encourage users running EOL versions of cPanel & WHM to upgrade before this date.

If your server runs an EOL version of cPanel & WHM after May 11, 2014, then the functionality of EasyApache will change in the following ways:

  • Your server will no longer receive EasyApache updates, which include Apache and security patches.
  • You will no longer be able to update or change components within EasyApache.
  • You will only be able to rebuild the last successful profile.

For example, after May 11, 2014, a server running cPanel & WHM version 11.36 and Apache version 2.2 will not be able to rebuild EasyApache with Apache version 2.4. Even minor version updates will not be possible after this date. For instance, an update from PHP 5.4.24 to 5.4.25.

These changes to EasyApache functionality will allow the EasyApache development team to provide you with the following improvements:

  • Quicker EasyApache release cycles
  • More feature development
  • More bug fixes
  • Fewer EasyApache security issues related to the support of out-of-date software

For more information on the cPanel & WHM upgrade process, visit Upgrade to Latest Version.

You can also follow the EasyApache development team’s progress on the upcoming Optimized Profiles feature via the EasyApache forums and cPanel Blog.

*On February 28, 2014, cPanel & WHM versions 11.36 and earlier reached EOL. In April 2014, cPanel & WHM version 11.38 will also reach EOL.

Posted in News, Software Updates | Tagged: , , , , , ,

11.42 Now in RELEASE Tier

3/3/2014
Houston, TX -

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.42, which is now available in the RELEASE tier.

cPanel & WHM version 11.42 offers a brand new theme, an upgrade to Horde Groupware Webmail, and more.

Paper Lantern Theme
As part of 11.42, cPanel & WHM introduces Paper Lantern, a modern, powerful theme. With its simplified design, beautiful icon set, and thoughtful feature names, this edition of Paper Lantern is only the beginning.

Horde Groupware Webmail Upgrade
cPanel & WHM now uses Horde Groupware Webmail Edition 5.1. This upgrade provides a simple webmail application for all users, regardless of experience level.

Detailed information on all cPanel & WHM version 11.42 features can be found at https://documentation.cpanel.net.* An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

*Please note the updated URL for cPanel & WHM Documentation.

Posted in News, Press Releases, Release Announcements | Tagged: , ,

11.38 EOL, 2 Month Notice

cPanel & WHM software version 11.38 will reach End of Life at the end of April 2014.

In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.38 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.38 once it reaches its EOL date.

We recommend that all customers migrate any existing installations of cPanel & WHM 11.38 to a newer version (either 11.40 or 11.42).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at http://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.38 60 day notice-signed.

Posted in News, Release Announcements | Tagged: , ,

cPanel TSR 2014-0002 Full Disclosure

Case 89985

Summary

Disclosure of cpanel-horde’s MySQL password due to world-readable backups.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

During the upgrade to Horde 5 on 11.42 systems, a backup tarball of the existing Horde configuration files is created. This backup tarball was created in a world-accessible directory with world-readable permissions, allowing local accounts to see the MySQL password for the shared cpanel-horde user.

Credits

This issue was discovered by Rack911.

Solution

This issue is resolved in the following builds:
11.42.0.6

For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/02/TSR-2014-0002-Full-Disclosure.txt.

Posted in News, Security | Tagged: , ,

cPanel TSR-2014-0002 Announcement

cPanel has released a new build for the 11.42, CURRENT, and EDGE update tiers.

This update provides targeted changes to address security concerns with the 11.42 release of the cPanel & WHM product. This build is currently available to all customers via the standard update system.

cPanel has rated this update as having a security impact level of Important.

Information on cPanel’s security ratings is available at go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.42.0.6 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

Independent security researchers identified the security issue resolved in this update. There is no reason to believe that this vulnerability is known to the public. As such, cPanel will only release limited information about the vulnerability at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new version, cPanel will release additional information about the nature of this security issue.

Additional information is scheduled for release on February 14th, 2014.

For information on cPanel & WHM Versions and the Release Process, read our
documentation at go.cpanel.net/versionformat.

For the PGP signed message, please go to TSR-2014-0002 Announcement

Posted in News, Security | Tagged: , ,

EasyApache EOL Items Removed

2/10/2014
Houston, TX -

cPanel, Inc. has released EasyApache 3.24. This version removes Apache 1.3/2.0, PHP 5.2, and mod_frontpage. As mentioned in Introducing EasyApache’s Optimal Profiles, these End of Life (EOL) items are no longer available in EasyApache.

These items have been removed for the following reasons:

  • They are no longer supported by their respective developers.
  • They include unpatched CVEs (Common Vulnerabilities and Exposures).
  • EasyApache provides the most up-to-date, supported versions of Apache (2.2/2.4) and PHP (5.4/5.5).

Keep in mind that viable alternatives to mod_frontpage exist, such as WebDAV and FTP. Also, PHP 5.2 and mod_frontpage are available as custom modules (“opt mods”).

Important: Starting May 11, 2014, EasyApache users running EOL cPanel & WHM versions (11.38 and older) will no longer receive EasyApache updates. These users will still be able to rebuild EasyApache using the latest release prior to May 11, 2014. A message will appear in the WHM user interface and command line interface warning EasyApache users of this change. EasyApache users running cPanel & WHM version 11.38 will not see this message until that version reaches EOL at the end of April 2014. To learn how to upgrade your version of cPanel & WHM, visit http://go.cpanel.net/upgradeversion.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists

Posted in News, Software Updates | Tagged: , , ,

TSR 2014-0001 Full Disclosure

Case 84385

Summary

Arbitrary code execution as cpanel-horde user via cache file poisioning.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The Horde Webmail interfaces accessible to cPanel and Webmail accounts uses PHP serialized cache files to speed up some backend operations. By default these cache files were stored in the world-writable /tmp directory with predictable names. A malicious local attacker could pre-create the cache files inside /tmp, potentially leading to arbitrary code execution as the cpanel-horde user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Continue reading

Posted in News, Security | Tagged: , ,

TSR-2014-0001 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.42.0.4 & Greater
* 11.40.1.10 & Greater
* 11.38.2.16 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 67 vulnerabilities in cPanel & WHM software versions 11.42, 11.40, and 11.38.

Additional information is scheduled for release on February 5th, 2014.

For information on cPanel & WHM Versions and the Release Process, read our documentation at:
http://go.cpanel.net/versionformat

For the PGP-signed message, see TSR-2014-0001-Announcement.

Posted in News, Security | Tagged: , ,

11.36 EOL Notice

cPanel & WHM software version 11.36 has reached End of Life.

In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport],11.36 will continue functioning on servers. The last release of cPanel & WHM 11.36, being 11.36.2.13, will remain on our mirrors indefinitely. You may continue using this last release, but no further updates, such as security fixes and installations, will be provided for 11.36. Older releases of cPanel & WHM 11.36 will be removed from our mirrors.

We strongly recommend that all customers migrate any existing installations of cPanel & WHM 11.36 to a newer version (either 11.38 or 11.40).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.36-EOL.

Posted in News, Release Announcements | Tagged: , ,
Page 2 of 2812345...1020...Last »