Featured Item

Heartbleed Vulnerability Information

cPanel Security Team: Heartbleed Vulnerability

Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f.

This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.

What does this mean for cPanel servers?

cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system. RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors. To update any affected servers, run “yum update” to install the patched version of OpenSSL and restart all SSL-enabled services or reboot the system.

You can ensure you are updated by running the following command:

# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

You should see the information noting the fix to CVE-2014-0160.

RHEL/CentOS 5 servers, which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability.

What steps do I need to take as an Admin/root of our servers running cPanel & WHM?

Once the RPM of OpenSSL has been updated you should reset all certificates via the Manage Service SSL Certificates interface in WHM.

Home » Service Configuration » Manage Service SSL Certificates

You will need to click the ‘Reset Certificate’ link for each service: FTP, Exim, cPanel/WHM/Webmail Service, and Dovecot or Courier Mail Server.

You should also check the SSL certificates in the Manage SSL Hosts interface of WHM.

Home » SSL/TLS » Manage SSL Hosts

Many Certificate Authorities are helping their customers regenerate SSL certificates at no cost. This may vary and your Certificate Authority should be contacted prior to any actions to ensure the proper procedures are followed.

Do we need to reset our passwords and regenerate our private and public keys on the server?

Due to the nature of the vulnerability it is impossible to know what other information, including private keys, passwords, and session ID’s, has been compromised. The attack occurs before a full connection to your server has been made, leaving no indications in any logs that an attack has occurred. It is recommended that you regenerate all SSH keys and reset all passwords across the server.

Is EasyApache susceptible to the Heartbleed vulnerability?

No. As long as you complete the above steps, software that is built with EasyApache is not susceptible to the Heartbleed vulnerability.

Posted in: News, Security | Tagged: ,

EasyApache 3.24.15 Released

cPanel, Inc. has released EasyApache 3.24.15 with FCGI version 2.3.9 and PHP versions 5.5.10 and 5.4.27. This release addresses the FCGI vulnerability CVE-2013-4365 with fixes to a possible heap buffer overwrite issue, and the PHP vulnerability CVE-2013-7345 with fixes to bugs in the fileinfo module. We encourage all FCGI users to upgrade to FCGI version 2.3.9, and all PHP users to upgrade toPHP version 5.5.11 or PHP version 5.4.27.

Continue reading

Posted in News, Software Updates | Tagged: , , , ,

End of the Road for FrontPage Installations: What to Expect

The end of Microsoft® FrontPage® Extensions installations on cPanel & WHM servers is quickly approaching. FrontPage support has already been removed in EasyApache version 3.24.1 and up and cPanel & WHM will be FrontPage-free by version 11.46, which is currently slated for a Fall 2014 release.

cPanel & WHM version 11.44 (scheduled for a Summer 2014 release) will introduce an easy way to remove FrontPage, in preparation for our discontinued support. In WHM’s Uninstall FrontPage Extensions interface (Home >> FrontPage >> Uninstall FrontPage Extensions), an Uninstall FrontPage For All Users option will allow customers to remove FrontPage from all user accounts and their server simultaneously. After implementing this new option, related features will no longer be available, the server will ignore related settings and, most importantly, customers will not be able to reactivate FrontPage.

FrontPage support will be discontinued entirely in cPanel & WHM version 11.46. System administrators will not be able to upgrade servers to 11.46 until FrontPage has been removed.

Posted in News | Tagged: , , , , , , ,

EasyApache 3.24.14 Released

cPanel, Inc. has released EasyApache 3.24.14 with Apache version 2.2.27. This release addresses Apache vulnerabilities CVE-2014-0098 and CVE-2013-6438, by fixing bugs in the mod_log_config and mod_dav modules. We encourage all Apache users to upgrade to Apache version 2.2.27.

Continue reading

Posted in News, Software Updates | Tagged: , , , ,

cPanel TSR 2014-0003 Full Disclosure

Case 85329


Sensitive information disclosed via multiple log files.

Security Rating

cPanel has assigned a Security Level of Moderate to this vulnerability.


Several log files on cPanel & WHM systems were created with default world-readable permissions. These log files include both sensitive internal data such as stack traces and less sensitive information about the existence of other accounts and domains on the system.


This issue was discovered by Rack911.


This issue is resolved in the following builds:

Continue reading

Posted in News, Security | Tagged: , ,

11.38 EOL, 1 Month Notice

cPanel & WHM software version 11.38 will reach End of Life at the end of April 2014.

In accordance with our EOL policy [http://go.cpanel.net/longtermsupport], 11.38 will continue functioning on servers after reaching EOL. However, no further updates, such as security fixes and installations, will be provided for 11.38 once it reaches its EOL date.

We recommend that all customers migrate any existing installations of cPanel & WHM 11.38 to a newer version (either 11.40 or 11.42).

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at http://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

About cPanel, Inc.
Since 1997, cPanel, Inc. has been a leading innovator and developer of control panel software for the web hosting industry. cPanel builds software that allows web host professionals to transform standalone servers into fully automated, point-and-click web hosting platforms. cPanel-licensed software allows server and website owners, along with resellers and developers, to optimize their technical resources and replace tedious shell-oriented tasks with dynamic, intuitive web-based interfaces. For more information, visit http://cpanel.net.

For the PGP-signed message, see 11.38 30 day notice-signed.

Posted in News, Release Announcements | Tagged: , ,

cPanel TSR-2014-0003 Notice of Delay in Disclosure

Based on customer feedback, cPanel is extending the time frame between our initial announcement of a Targeted Security Release (TSR) and the disclosure of full details about the contents of the TSR to one week.

This change will apply to TSR-2014-0003 and all future cPanel TSRs.

Full details about the contents of TSR-2014-0003 will be released on 31 March 2014.

For the PGP-signed message, see: TSR-2014-0003-Delay.

Posted in News, Security | Tagged: , ,

cPanel TSR-2014-0003 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Critical.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

Continue reading

Posted in News, Security | Tagged: , ,

EasyApache 3.24.13 Released

cPanel, Inc. has released EasyApache 3.24.13 with Apache version 2.4.9. This release addresses Apache vulnerabilities CVE-2014-0098 and CVE-2013-6438, by fixing bugs in the mod_log_config and mod_dav modules. We encourage all Apache users to upgrade to Apache version 2.4.9.

Continue reading

Posted in News, Software Updates | Tagged: , , , ,

11.42 Now in STABLE Tier

Houston, TX -

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.42, which is now available in the STABLE tier.

cPanel & WHM version 11.42 offers a brand new theme, an upgrade to Horde Groupware Webmail, and more.

Paper Lantern Theme
As part of 11.42, cPanel & WHM introduces Paper Lantern, a modern, powerful theme. With its simplified design, beautiful icon set, and thoughtful feature names, this edition of Paper Lantern is only the beginning.

Horde Groupware Webmail Upgrade
cPanel & WHM now uses Horde Groupware Webmail Edition 5.1. This upgrade provides a simple webmail application for all users, regardless of experience level.

Detailed information on all cPanel & WHM version 11.42 features can be found at https://documentation.cpanel.net.* An overview of the latest features and benefits is also available at http://releases.cpanel.net.

To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list here: http://cpanel.net/mailing-lists.

*Please note the updated URL for cPanel & WHM Documentation.

Posted in News, Press Releases, Release Announcements | Tagged: , , ,
Page 1 of 2812345...1020...Last »