cPanel TSR-2014-0002 Announcement

cPanel has released a new build for the 11.42, CURRENT, and EDGE update tiers.

This update provides targeted changes to address security concerns with the 11.42 release of the cPanel & WHM product. This build is currently available to all customers via the standard update system.

cPanel has rated this update as having a security impact level of Important.

Information on cPanel’s security ratings is available at go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.42.0.6 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

Independent security researchers identified the security issue resolved in this update. There is no reason to believe that this vulnerability is known to the public. As such, cPanel will only release limited information about the vulnerability at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new version, cPanel will release additional information about the nature of this security issue.

Additional information is scheduled for release on February 14th, 2014.

For information on cPanel & WHM Versions and the Release Process, read our
documentation at go.cpanel.net/versionformat.

For the PGP signed message, please go to TSR-2014-0002 Announcement

Posted in News, Security | Tagged: , ,

EasyApache EOL Items Removed

2/10/2014
Houston, TX -

cPanel, Inc. has released EasyApache 3.24. This version removes Apache 1.3/2.0, PHP 5.2, and mod_frontpage. As mentioned in Introducing EasyApache’s Optimal Profiles, these End of Life (EOL) items are no longer available in EasyApache.

These items have been removed for the following reasons:

  • They are no longer supported by their respective developers.
  • They include unpatched CVEs (Common Vulnerabilities and Exposures).
  • EasyApache provides the most up-to-date, supported versions of Apache (2.2/2.4) and PHP (5.4/5.5).

Keep in mind that viable alternatives to mod_frontpage exist, such as WebDAV and FTP. Also, PHP 5.2 and mod_frontpage are available as custom modules (“opt mods”).

Important: Starting May 11, 2014, EasyApache users running EOL cPanel & WHM versions (11.38 and older) will no longer receive EasyApache updates. These users will still be able to rebuild EasyApache using the latest release prior to May 11, 2014. A message will appear in the WHM user interface and command line interface warning EasyApache users of this change. EasyApache users running cPanel & WHM version 11.38 will not see this message until that version reaches EOL at the end of April 2014. To learn how to upgrade your version of cPanel & WHM, visit http://go.cpanel.net/upgradeversion.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists

Posted in News, Software Updates | Tagged: , , ,

TSR 2014-0001 Full Disclosure

Case 84385

Summary

Arbitrary code execution as cpanel-horde user via cache file poisioning.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The Horde Webmail interfaces accessible to cPanel and Webmail accounts uses PHP serialized cache files to speed up some backend operations. By default these cache files were stored in the world-writable /tmp directory with predictable names. A malicious local attacker could pre-create the cache files inside /tmp, potentially leading to arbitrary code execution as the cpanel-horde user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.42.0.4
11.40.1.10
11.38.2.16

Continue reading

Posted in News, Security | Tagged: , ,

TSR-2014-0001 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.42.0.4 & Greater
* 11.40.1.10 & Greater
* 11.38.2.16 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 67 vulnerabilities in cPanel & WHM software versions 11.42, 11.40, and 11.38.

Additional information is scheduled for release on February 5th, 2014.

For information on cPanel & WHM Versions and the Release Process, read our documentation at:
http://go.cpanel.net/versionformat

For the PGP-signed message, see TSR-2014-0001-Announcement.

Posted in News, Security | Tagged: , ,

11.36 EOL Notice

cPanel & WHM software version 11.36 has reached End of Life.

In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport],11.36 will continue functioning on servers. The last release of cPanel & WHM 11.36, being 11.36.2.13, will remain on our mirrors indefinitely. You may continue using this last release, but no further updates, such as security fixes and installations, will be provided for 11.36. Older releases of cPanel & WHM 11.36 will be removed from our mirrors.

We strongly recommend that all customers migrate any existing installations of cPanel & WHM 11.36 to a newer version (either 11.38 or 11.40).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.36-EOL.

Posted in News, Release Announcements | Tagged: , ,

EasyApache End of Life Items to be Removed

1/30/2014
Houston, TX -

cPanel, Inc. tentatively plans to release EasyApache 3.24 in the very near future. This version will include the removal of Apache 1.3/2.0, PHP 5.2, and mod_frontpage. As mentioned in Introducing EasyApache’s Optimal Profiles, these End of Life items will no longer be available in EasyApache.

These items will be removed for the following reasons:

  • They are no longer supported by their respective developers.
  • They include known CVEs (Common Vulnerabilities and Exposures).
  • EasyApache provides the most up-to-date, supported versions of Apache (2.2/2.4) and PHP (5.4/5.5).

Keep in mind that viable alternatives to mod_frontpage exist, such as WebDAV and FTP. Also, PHP 5.2 and mod_frontpage will be available as custom modules (“opt mods”).

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists

Posted in News, Software Updates | Tagged: , , ,

11.42 Now in CURRENT Tier

1/28/2014
Houston, TX -

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.42, which is now available in the CURRENT tier.
cPanel & WHM version 11.42 offers a brand new theme, an upgrade to Horde Groupware Webmail, and more.

Paper Lantern Theme
As part of 11.42, cPanel & WHM introduces Paper Lantern, a modern, powerful theme. With its simplified design, beautiful icon set, and thoughtful feature names, this edition of Paper Lantern is only the beginning.

Horde Groupware Webmail Upgrade
cPanel & WHM now uses Horde Groupware Webmail Edition 5.1. This upgrade provides a simple webmail application for all users, regardless of experience level.

Detailed information on all cPanel & WHM version 11.42 features can be found at https://documentation.cpanel.net.* An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

*Please note the updated URL for cPanel & WHM Documentation.

Posted in News, Press Releases, Release Announcements | Tagged: , , ,

Enkompass EOL Notice

Enkompass version 3.0 will reach End of Life in February 2014.

In accordance with our EOL policy [go.cpanel.net/eol], Enkompass will continue to function on servers after it reaches EOL. However, we will not provide further updates (for example, security fixes and installations) for Enkompass version 3.0  after it reaches its EOL date.

Support for Enkompass will no longer be available in the ticket system, but community support is still available on our forums [http://forums.cpanel.net/enkompass-discussions.html].

So long, and thanks for all the fish.
1)f7{3;(1]o715C1)f7{3;(1]o715C
About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see Enkompass-EOL.

Posted in News, Release Announcements | Tagged: , ,

11.36 EOL, 1 Month Notice

cPanel & WHM software version 11.36 will reach End of Life at the end of January 2014.

In accordance with our EOL policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport],11.36 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.36 once it reaches its EOL date.

We recommend that all customers migrate any existing installations of cPanel & WHM 11.36 to a newer version (either 11.38 or 11.40).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (for example, an out-of-date operating system), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.36 30 day notice-signed.

Posted in News, Release Announcements | Tagged: , ,

TSR 2013-0012 Full Disclosure

Case 84681

Summary

Arbitrary file read for ACL limited reseller accounts via XML-API.

Security Rating

cPanel has assigned a Security Level of Important to this vulnerability.

Description

The WHM XML and JSON APIs allowed arbitrary files to be read through the “getpkginfo” API call. By sending a crafted input to this call, resellers with the “viewglobalpackages” ACL could read the contents of files accessible only to root.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:

11.40.1.7 & Greater
11.40.0.31 & Greater
11.38.2.15 & Greater
11.36.2.12 & Greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/

For the PGP-signed message, see TSR-2013-0012-FullDisclosure.

Posted in News, Security | Tagged: , ,
Page 4 of 30« First...23456...102030...Last »