Visit the cPanel Conference site to sign up to receive the latest updates about cPanel Conference ’14.
cPanel Security Team: Heartbleed Vulnerability
Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f.
This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.
cPanel, Inc. has released EasyApache 3.24.15 with FCGI version 2.3.9 and PHP versions 5.5.10 and 5.4.27. This release addresses the FCGI vulnerability CVE-2013-4365 with fixes to a possible heap buffer overwrite issue, and the PHP vulnerability CVE-2013-7345 with fixes to bugs in the fileinfo module. We encourage all FCGI users to upgrade to FCGI version 2.3.9, and all PHP users to upgrade toPHP version 5.5.11 or PHP version 5.4.27.
The end of Microsoft® FrontPage® Extensions installations on cPanel & WHM servers is quickly approaching. FrontPage support has already been removed in EasyApache version 3.24.1 and up and cPanel & WHM will be FrontPage-free by version 11.46, which is currently slated for a Fall 2014 release.
cPanel & WHM version 11.44 (scheduled for a Summer 2014 release) will introduce an easy way to remove FrontPage, in preparation for our discontinued support. In WHM’s Uninstall FrontPage Extensions interface (Home >> FrontPage >> Uninstall FrontPage Extensions), an Uninstall FrontPage For All Users option will allow customers to remove FrontPage from all user accounts and their server simultaneously. After implementing this new option, related features will no longer be available, the server will ignore related settings and, most importantly, customers will not be able to reactivate FrontPage.
FrontPage support will be discontinued entirely in cPanel & WHM version 11.46. System administrators will not be able to upgrade servers to 11.46 until FrontPage has been removed.
cPanel, Inc. has released EasyApache 3.24.14 with Apache version 2.2.27. This release addresses Apache vulnerabilities CVE-2014-0098 and CVE-2013-6438, by fixing bugs in the mod_log_config and mod_dav modules. We encourage all Apache users to upgrade to Apache version 2.2.27.
Sensitive information disclosed via multiple log files.
cPanel has assigned a Security Level of Moderate to this vulnerability.
Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system.
This issue was discovered by Rack911.
This issue is resolved in the following builds:
cPanel & WHM software version 11.38 will reach End of Life at the end of April 2014.
In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.38 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.38 once it reaches its EOL date.
We recommend that all customers migrate any existing installations of cPanel & WHM 11.38 to a newer version (either 11.40 or 11.42).
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at http://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.
Based on customer feedback, cPanel is extending the time frame between our initial announcement of a Targeted Security Release (TSR) and the disclosure of full details about the contents of the TSR to one week.
This change will apply to TSR-2014-0003 and all future cPanel TSRs.
Full details about the contents of TSR-2014-0003 will be released on 31 March 2014.
For the PGP-signed message, see: TSR-2014-0003-Delay.
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having security impact levels ranging from Minor to Critical.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
cPanel, Inc. has released EasyApache 3.24.13 with Apache version 2.4.9. This release addresses Apache vulnerabilities CVE-2014-0098 and CVE-2013-6438, by fixing bugs in the mod_log_config and mod_dav modules. We encourage all Apache users to upgrade to Apache version 2.4.9.