WHD Global 2014

We’re sending representatives from cPanel to WHD Global in April 2014. More information coming soon!

Posted in Events

IMPORTANT: cPanel Security Notice 2013-09-25: WordPress 3.6.1

SUMMARY

Three CVEs were reported for WordPress 3.6 and WordPress has released
an upgraded version to address theses vulnerabilities. cPanel has
updated the WordPress version delivered via the cPAddons functionality
in WHM to the new version of 3.6.1.

AFFECTED VERSIONS
All versions of WordPress 3.6.0 and below.

SECURITY RATING
US-CERT/NIST has given the following severities for the WordPress
vulnerabilities:

CVE-2013-4338
CVSS v2 Base Score: 7.5 (HIGH)

CVE-2013-4339
CVSS v2 Base Score: 7.5 (HIGH)

CVE-2013-4339
CVSS v2 Base Score: 3.5 (LOW)

SOLUTION
cPanel, Inc. has updated the version of WordPress in the cPAddons
system to 3.6.1. The cPanel Security Team highly recommends that
all installations of WordPress be update on your servers. The WHM
Admins can upgrade the installations of WordPress on their servers
using the Manage cPAddons Site Software functionality in WHM. cPanel
account users may also update from the WordPress link in the Site
Software section of their cPanel account interface.

REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4338

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340

http://wordpress.org/news/2013/09/wordpress-3-6-1/

For the PGP signed message go here

Posted in News, Security | Tagged:

11.34 EOL, 1 Month Notice

Correction: Please note that cPanel & WHM version 11.36 will reach EOL January 2014, not March 2014.

cPanel & WHM 11.34 reaches End Of Life October 15, 2013. That means there is only one month left in the life cycle.

In accordance with our End of Life Policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport], cPanel & WHM software release 11.34 will continue functioning on servers after reaching end of life. No further updates, including security fixes, or installations will be provided for 11.34 after the end of life date.

All customers currently using cPanel & WHM software release 11.34 are advised to begin planning the upgrade to cPanel & WHM software release 11.36 (EOL Date: January 2014). If you desire assistance with your migration plans, please contact our technical support team at https://tickets.cpanel.net/submit/. Our professional staff will help with recommendations, migration assistance and more.

11.34-EOL-1Month-correction

Posted in Release Announcements, Security | Tagged:

TSR-2013-0009 Detailed Disclosure

TSR-2013-0009 Detailed Disclosure

The following disclosure covers Targeted Security Release TSR-2013-0009, that was published on August 27th, 2013.

Each vulnerability is assigned an internal case number which is reflected below.
Information regarding the cPanel Security Level rankings can be found here:
http://go.cpanel.net/securitylevels

Case 73377

Summary
An account’s cpmove archives were world-readable in the /home directory with 644 permissions during packaging.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
The cPanel and WHM account transfer process created a temporary cpmove
archive in the /home directory with 644 permissions. This allowed a local
attacker to read the private contents of another user’s home directory
and configuration settings while the transfer operation was in progress.
The world-readable cpmove file was left accessible for a longer period
of time when the account transfer process failed and required manual intervention.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 73581

Summary
The improper sanitization of user input when adding an Addon Domain could allow a local DoS of the web server.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
While creating a new Addon domain, a cPanel user account could specify a
DocumentRoot for the new addon that would be misinterpreted by Apache as
a nonsensical httpd.conf directive. This vulnerability could be used by
a malicious local attacker to corrupt the global httpd.conf file and
make it impossible to restart the Apache web server.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 73605

Summary
The account rearrange feature of WHM could be used in an unsafe way, potentially leading to a compromise of a system’s security.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
WHM resellers with the “Rearrange Accounts” ACL could change the
permissions on arbitrary file paths by moving accounts they
controlled into sensitive filesystem locations and invoke other
automated systems, which assumed these locations were not under any user
account’s control. The “Rearrange Accounts” ACL is a part of the a “Super Privs” ACL group, which restricts access to WHM operations that may be used to bypass many normal Reseller access restrictions.

Credits
This issue was reported by Rack911.com

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 73773

Summary
cPanel, WHM and Webmail session files contained plaintext passwords.

Security Rating
cPanel has not assigned a Security Level to this issue as we feel this is only a hardening measure.

Description
The session files in /var/cpanel/sessions contained plain text passwords for recently logged in users. The session files were correctly secured so that only the root account on the system could read their contents. We have added additional obfuscation of the plaintext passwords, so that any attacker who compromises the root account on the system will not have the ability to reconstruct the plaintext passwords from the session files.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 74521

Summary
Resellers with the locale-edit ACL could overwrite any file on the system.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
Resellers that were able to install locale data from uploaded XML files could overwrite any file on the disk with data provided in the XML file. This could be used to gain privilege escalation to root.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 75569

Summary
The unsuspend function makes changes to webDAV user files that could unsuspend a suspended user on the system.

Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.

Description
The process of unsuspending a suspended account did not perform proper checks on the ownership and location of the virtual account password files. This flaw allowed a malicious reseller account with the “(Un)Suspend” ACL to unsuspend arbitrary accounts on the system.

Credits
This issue was reported by Rack911.com.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Cases 68205, 71701, 71705, 71709, 71721, 71725, 71733, 75169, 75413, 75417, and 75605

Summary

Multiple vulnerabilities in the cPAddons Site Software subsystem.

Security Rating
cPanel has assigned a range of Security Levels to these vulnerablities from Minor to Important.

Description
The cPAddons Site Software subsystem provides a suite of web application
software that individual cPanel user accounts may install into their
domains. The subsystem also provides interfaces in WHM where the root user
may configure the list of web applications that are available for
installation, configure which web applications require root’s approval
for installation, and perform the installation of moderated cPAddons.

This subsystem was vulnerable to a variety of attacks by malicious local
cPanel accounts and malicious WHM reseller accounts. The vulnerabilities
included flaws in the ACL enforcement logic of the WHM interfaces that
allowed non-root resellers to use the WHM interfaces and stored XSS
attacks that a cPanel account could conduct against the root user. The
moderated cPAddons install logic included further vulnerabilities that
would allow a malicious cPanel user to execute arbitrary code as any
other account on the system.

Credits
These issues were discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Case 71265

Summary
The autoresond.pl script was vulnerable to shell injection.

Security Rating
cPanel has assigned a Security Level of Moderate to this vulnerability.

Description
The cPanel autorespond script is used by cPanel and Webmail accounts to
send vacation notices when the user is unavailable to answer their
email. An input sanitization flaw in this script allowed a malicious
local cPanel account to bypass other account restrictions, such
as jailshell, while executing arbitrary code.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
This issue was not introduced into the autoresponder.pl code until 11.38, 11.36 and prior are not vulnerable.
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Cases 74609 and 75113

Summary
The NVData module lacked proper sanitization, which allowed overwrites of files and path traversal.

Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.

Description
The WHM interface uses an NVData subsystem to persistently store some
settings of the web interface. This subsystem did insufficient
validation of its inputs, allowing a malicious local reseller to corrupt
NVData files belonging to other users and read files outside of the NVData
subsytem. These flaws potentially allowed the reseller to change
ownership and permissions settings on arbitrary files.

Credits
This issue was discovered by the cPanel Security Team.

Solution
This issue is resolved in the following builds:
* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.

Our GPG key is available at: http://go.cpanel.net/gnupgkeys (ABD94DDF)

The cPanel Security Team can be contacted at: security@cpanel.net

TSR-2013-0009-DetailedDisclosure

Posted in News, Release Announcements, Security | Tagged:

Security Advisory 2013-08-27

TSR-2013-0009 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.39.0.15 & Greater
* 11.38.2.6 & Greater
* 11.36.2.3 & Greater
* 11.34.2.4 & Greater
* 11.32.7.3 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 20 vulnerabilities in cPanel & WHM software versions 11.39, 11.38, 11.36, 11.34, and 11.32.

Additional information is scheduled for release on August 29th, 2013.

For information on cPanel & WHM Versions and the Release Process, read our documentation at:
http://go.cpanel.net/versionformat

For the PGP signed message, please go here.

Posted in News, Release Announcements, Security | Tagged:

Security Advisory 2013-08-26

SUMMARY

The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in the OpenSSL module and a compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 or PHP 5.4.19. cPanel has released EasyApache 3.22.7 with PHP 5.5.3 and 5.4.19 to address this issue.

AFFECTED VERSIONS

All versions of PHP5.5 before 5.5.3 and PHP5.4 before 5.4.19.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-4248 – MEDIUM

PHP 5.5.3

Fixed UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248.

PHP 5.4.19

Fixed UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248.

SOLUTION

cPanel, Inc. has released EasyApache 3.22.7 with updated versions of PHP5.4 and PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run.

For the PGP signed message, please go here.

Posted in News, Security | Tagged:

Security Advisory 2013-08-21

SUMMARY

The PHP development team has announced the immediate availability of PHP 5.5.2. This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.6 with PHP 5.5.2 to address this issue.

AFFECTED VERSIONS

All versions of PHP5 before 5.5.2

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings of these CVEs:

CVE-2011-4718 – MEDIUM
CVE-2013-4248 – MEDIUM

PHP 5.5.2

CVE-2011-4718: A session fixation vulnerability in the Sessions subsystem in PHP, before 5.5.2, allows remote attackers to hijack web sessions by specifying a session ID.

CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x (before 5.5.2) does not properly handle a null character in a domain name in the Subject Alternative Name field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificated issued by a legitimate Certification Authority. This issue is related to CVE-2009-2408.

SOLUTION

cPanel, Inc. has released EasyApache 3.22.6 with an updated version of PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718
http://www.php.net/ChangeLog-5.php#5.5.2

For the PGP signed message, please go here.

Posted in News, Security | Tagged:

Security Advisory 2013-08-20

SUMMARY

The PHP development team announces the immediate availability of PHP 5.4.18. About 30 bugs were fixed, including security issues CVE-2013-4113 and CVE-2013-4248. All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.5 with this updated version of PHP 5.4.18 to address this issue.

AFFECTED VERSIONS

All versions of PHP5 before 5.4.18

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity rating of these CVEs:
CVE-2013-4113 — MEDIUM
CVE-2013-4248 — MEDIUM

PHP 5.4.18

CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27 (also 5.4.x) does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibility have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.

CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a “character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attacks to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

SOLUTION

cPanel, Inc. has released EasyApache 3.22.5 with updated version PHP5.4 to correct these issues. To update, please rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea).
Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4113
http://www.php.net/ChangeLog-5.php#5.4.18
http://php.net/archive/2013.php#id2013-08-15-1

For the PGP signed message, please go here.

Posted in News, Security | Tagged:

Impending EOL, 11.32

cPanel & WHM 11.32 reaches End of Life in August, 2013. That means there is less than one month left in the life cycle.

In accordance with our [End of Life Policy](“http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport“) cPanel & WHM 11.32 will continue functioning on servers after reaching End of Life. No further updates, including security fixes, or installations will be provided for 11.32 after the end of life date.

cPanel & WHM 11.32 is the last version to support the following:

* CentOS 4
* RHEL 4
* MySQL 4.0
* MySQL 4.1

All customers currently using cPanel & WHM 11.32 are advised to begin planning the upgrade to cPanel & WHM 11.36 (EOL Date: March 2014). If you desire assistance with your migration plans, please contact our technical support team at [https://tickets.cpanel.net/submit/](“https://tickets.cpanel.net/submit/“). Our professional staff will help with recommendations, migration assistance and more.

For the PGP signed message, please go here.

Posted in News | Tagged: , ,

Security Advisory 2013-07-23

SUMMARY

The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s.

Apache HTTP Server 2.2.25

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

AFFECTED VERSIONS

All versions of Apache 2.2 before 2.2.25.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-1896 – MEDIUM
CVE-2013-1862 – MEDIUM

Apache HTTP Server 2.4.6

CVE-2013-2249 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session
without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

AFFECTED VERSIONS

All versions of Apache 2.4 before 2.4.6.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-2249 – HIGH
CVE-2013-1896 – MEDIUM

SOLUTION

cPanel, Inc. has released EasyApache 3.20.6 with updated versions of Apache 2.2 and 2.4 to correct these issues. To update, please rebuild your EasyApache
profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea).

Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that
EasyApache updates must be done manually.

REFERENCES

CVE-2013-1862 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862)
CVE-2013-2249 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249)
CVE-2013-1896 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896)

Apache 2.2.25 Announcement (http://www.apache.org/dist/httpd/Announcement2.2.html)
Apache 2.4.6 Announcement (http://www.apache.org/dist/httpd/Announcement2.4.html)

For the PGP Signed message, please go here.

Posted in News, Security | Tagged: , , , , , , ,
Page 5 of 28« First...34567...1020...Last »