cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel, Inc. has released EasyApache 3.24.18 with PHP versions 5.5.12 and 5.4.28. This release addresses the PHP vulnerability CVE-2014-0185 with the fix to a bug in the FPM package. We encourage all PHP users to upgrade to PHP version 5.5.12 or PHP version 5.4.28.
cPanel & WHM software version 11.38 has reached End of Life.
In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.38 will continue functioning on servers. The last release of cPanel & WHM 11.38, 220.127.116.11, will remain on our mirrors indefinitely. You may continue using this last release, but no further updates, such as security fixes and installations, will be provided for 11.38. Older releases of cPanel & WHM 11.38 will be removed from our mirrors.
We strongly recommend that all customers migrate any existing installations of cPanel & WHM 11.38 to a newer version (either 11.40 or 11.42).
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.
Visit the cPanel Conference site to sign up to receive the latest updates about cPanel Conference ’14.
cPanel Security Team: Heartbleed Vulnerability
Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f.
This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.
cPanel, Inc. has released EasyApache 3.24.15 with FCGI version 2.3.9 and PHP versions 5.5.10 and 5.4.27. This release addresses the FCGI vulnerability CVE-2013-4365 with fixes to a possible heap buffer overwrite issue, and the PHP vulnerability CVE-2013-7345 with fixes to bugs in the fileinfo module. We encourage all FCGI users to upgrade to FCGI version 2.3.9, and all PHP users to upgrade toPHP version 5.5.11 or PHP version 5.4.27.
The end of Microsoft® FrontPage® Extensions installations on cPanel & WHM servers is quickly approaching. FrontPage support has already been removed in EasyApache version 3.24.1 and up and cPanel & WHM will be FrontPage-free by version 11.46, which is currently slated for a Fall 2014 release.
cPanel & WHM version 11.44 (scheduled for a Summer 2014 release) will introduce an easy way to remove FrontPage, in preparation for our discontinued support. In WHM’s Uninstall FrontPage Extensions interface (Home >> FrontPage >> Uninstall FrontPage Extensions), an Uninstall FrontPage For All Users option will allow customers to remove FrontPage from all user accounts and their server simultaneously. After implementing this new option, related features will no longer be available, the server will ignore related settings and, most importantly, customers will not be able to reactivate FrontPage.
FrontPage support will be discontinued entirely in cPanel & WHM version 11.46. System administrators will not be able to upgrade servers to 11.46 until FrontPage has been removed.
cPanel, Inc. has released EasyApache 3.24.14 with Apache version 2.2.27. This release addresses Apache vulnerabilities CVE-2014-0098 and CVE-2013-6438, by fixing bugs in the mod_log_config and mod_dav modules. We encourage all Apache users to upgrade to Apache version 2.2.27.
Sensitive information disclosed via multiple log files.
cPanel has assigned a Security Level of Moderate to this vulnerability.
Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system.
This issue was discovered by Rack911.
This issue is resolved in the following builds:
cPanel & WHM software version 11.38 will reach End of Life at the end of April 2014.
In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.38 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.38 once it reaches its EOL date.
We recommend that all customers migrate any existing installations of cPanel & WHM 11.38 to a newer version (either 11.40 or 11.42).
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at http://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.