-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IMPORTANT: cPanel Security Notice 2013-06-03 SUMMARY The Apache mod_rewrite module fails to sanitize input, which may lead to arbitrary command execution in some circumstances. SECURITY RATING The cPanel Security Team has rated this update has having critical security impact. Information on security ratings is available at: http://go.cpanel.net/securitylevels. You are strongly encouraged to run EasyApache and update your Apache installation at your earliest convenience. DETAIL - From CVE-2013-1862: "It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user." AFFECTED VERSIONS All versions of Apache 2.2 and 2.4. SOLUTION cPanel, Inc has released EasyApache 3.18.16 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea) RELEASES EasyApache v3.18.16 addresses all known vulnerabilities. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually. REFERENCES * CVE-2013-1862 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862) * CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND) * RHSA-2013:0815 (http://rhn.redhat.com/errata/RHSA-2013-0815.html) * Apache Patch: http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBAgAGBQJRrPjbAAoJEJUhvtyr2U3f2PAP/ROTZPDHCHLZapkgSkK2SpIX U0VyvV1dSZ6J3CtgBXrzMtmdAT0vBuD73BwvE7wVg1xFhv0LFxnhJGRWv8l8AgYv sCPK7isbDKP/a5ie2bGGGmblRKb1h/D9n5nGPefdeJZSLmoIaF5kQzYF+2vUixrj S1FvAGke0GoyilTwKciiirhqmQPRvkfK0naCnapp/wgbfnA3VS3uesUN1BH5DpDp g/dYPNgK74HgHHrRtvTLoIXH8pJtFDK3euoUMSU8mvTQoD7fjBxazN03UpbTlGCd CFkCmYeIpFtThIgVrY9kaZsbTZu3DUU8JAjxhgPC6k29gxUjG1/lb424CjMzQ3Ez TOTJUkI64JfHkSaDNTw0LmdrOhKuJNXaabuxyfV/WYrBDeMZEtL8zb5sr4Xd+yGO ji+oYYy3BpaCfTuCJYWyrPTbtcbTw79/dVGxqaVuc7FufbGMg11bIDOuP5fLXTs0 5J2wWcf1nM/UlfLLAKhm31wrQLerRF/ykQZCZwerLGHOikmvzO75baYZrUa+hANm V5ObYzwKidWVJ9NjxoyG26f8z7PR0bcR0yuBGYIfrCngdp2GjBnS69flsZD8llyQ CmPlTXKd2LHGVZ8cqBiE+Z7U5GYbOKktvgWDojCvujxCrsDeA9fW7rtoTO2d3Sfv z2eHYYUyRvHhigQSGEGm =5rHy -----END PGP SIGNATURE-----