46 replies to this topic

[AplusWebMaster]

FYI...

cPanel TSR-2014-0006
- http://cpanel.net/cp...-tsr-2014-0006/
Aug 4, 2014 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels of Moderate.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
* 11.44.1.11 & Greater
* 11.42.1.25 & Greater
* 11.40.1.20 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net
___

cPanel TSR-2014-0006 Full Disclosure
- http://cpanel.net/cp...ull-disclosure/
Aug 11, 2014 - "Summary: Bypass of account suspension via mod_userdir.
Security Rating: cPanel has assigned a Security Level of Moderate to this vulnerability.
Description: The fix for case 101677 in TSR-2014-0005 introduced a regression in account suspensions that allowed the web content of a suspended account to be viewed normally via Apache userdir style URLs. This has been corrected so that both NameVirtualHost and userdir access to the suspended account’s web content is blocked...
This issue is resolved in the following builds:
11.44.1.11
11.42.1.25
11.40.1.20 ..."
 

Edited by AplusWebMaster, 11 August 2014 - 03:37 PM.

[AplusWebMaster]

FYI...

cPanel 11.44.3.1, 11.46.3.1, 11.48.1.3 released
- http://cpanel.net/cp...2-announcement/
March 16, 2015
"... The following cPanel & WHM versions address all known vulnerabilities:
* 11.48.1.3 & Greater
* 11.46.3.1 & Greater
* 11.44.3.1 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
... The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 14 vulnerabilities in cPanel & WHM software versions 11.48, 11.46, and 11.44. Additional information is scheduled for release on March 17th, 2015."

Change Log
- https://documentatio...1.48 Change Log
Mar 17, 2015
- https://documentatio...1.46 Change Log

- https://documentatio...1.44 Change Log

- https://secunia.com/advisories/63468/
2015-03-17
... Some vulnerabilities with an unknown impact has been reported in cPanel.
The vulnerabilities are caused due to an unspecified error. No further information is currently available.
The vulnerabilities are reported in versions prior to 11.44.3.1, 11.46.3.1, and 11.48.1.3.
Solution:
Update to version 11.44.3.1, 11.46.3.1, or 11.48.1.3.
Original Advisory:
TSR-2015-0002: http://cpanel.net/cp...2-announcement/
 

Edited by AplusWebMaster, 18 March 2015 - 07:20 PM.

[AplusWebMaster]

FYI...

cPanel TSR-2015-0003 Announcement
- http://news.cpanel.c...3-announcement/
May 18, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 4.0.
Information on cPanel’s security ratings is available at:
- http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
11.48.4.4 & Greater
11.46.3.6 & Greater
11.44.3.5 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:

- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time... Additional information is scheduled for release on May 19th, 2015."

- http://news.cpanel.c...nnouncement.txt
___

cPanel TSR-2015-0003 Full Disclosure
- http://news.cpanel.c...ull-disclosure/
May 19, 2015 - "... Summary: Access restrictions on mail routing information not properly enforced..."
 

Edited by AplusWebMaster, 19 May 2015 - 03:40 PM.

[AplusWebMaster]

FYI...

cPanel 11.50 released
- http://news.cpanel.c...n-release-tier/
June 15, 2015

Change Log: https://documentatio...1.50 Change Log
... last modified on Jun 29, 2015

For cPanel & WHM version 11.50
> https://documentatio...tallation Guide

- https://documentatio...?pageId=1507796
last modified Jul 02, 2015

> http://httpupdate.cpanel.net/
 

... Late.

Edited by AplusWebMaster, 06 July 2015 - 12:31 PM.

[AplusWebMaster]

FYI...

cPanel TSR-2015-0004
- http://news.cpanel.c...4-announcement/
July 20, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system... If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations..."

> http://news.cpanel.c...sclosure-delay/
July 21, 2015 - "Due to networking problems with cPanel’s mirrors, many cPanel & WHM systems did not auto-update for TSR-2015-0004. cPanel is delaying the release of vulnerability details for an additional 24 hours to allow these systems time to update..."

- http://news.cpanel.c...ull-disclosure/
July 22, 2015 - "Summary: Feature requirements not enforced correctly by adminbins...
Description: Several adminbin scripts did not properly verify the features enabled for the cPanel account running the adminbin script. This allowed cPanel users to perform some configuration functions that were disabled for the account...
Solution: This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8...

> http://news.cpanel.c...egory/security/
 

[AplusWebMaster]

FYI...

cPanel TSR-2015-0005
- http://news.cpanel.c...nnouncement.txt
Sep 21, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 6.0.
Information on cPanel's security ratings is available at:
- http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
    11.50.1.3 & Greater
    11.50.0.31 & Greater
    11.48.4.7 & Greater
    11.46.3.9 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION:
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses eight vulnerabilities in cPanel & WHM software versions 11.50, 11.48, and 11.46.
Additional information is scheduled for release on September 22, 2015..."
___

cPanel TSR-2015-0005 Full Disclosure
- http://news.cpanel.c...ull-disclosure/
Sep 22, 2015

Summary: Open redirect via /unprotected/redirect.html.
 

Edited by AplusWebMaster, 22 September 2015 - 08:59 PM.

[AplusWebMaster]

FYI...

Notice: 11.46 to EOL in 1 Month
- http://news.cpanel.c...eol-in-1-month/
Oct 6, 2015 - "cPanel & WHM 11.46 is set to reach End of Life at the end of October 2015.
In accordance with our EOL policy http://go.cpanel.net/longtermsupport, 11.46 will continue functioning on servers. However, no further updates, such as security fixes and installations, will be provided for 11.46 after it reaches EOL. We recommend that all customers migrate any existing installations of cPanel & WHM 11.46 to a newer version (either 11.48 or 11.50)..."

> https://documentatio...sesofcPanel
11.46    October 2014    October 2015

Change Logs:
- https://documentatio...ALD/Change Logs
 

Edited by AplusWebMaster, 07 October 2015 - 11:41 AM.

[AplusWebMaster]

FYI...

cPanel TSR-2015-0006
- http://news.cpanel.c...6-announcement/
Nov 16, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system... If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
11.52.1.1 & Greater
11.52.0.23 & Greater
11.50.3.1 & Greater
11.48.4.8 & Greater ..."

- http://httpupdate.cpanel.net/
Latest cPanel & WHM Builds (All Architectures)
TIER     Version     Release Date
STABLE     11.52.0.23     Mon Nov 16 21:57:15 2015
RELEASE 11.52.0.23     Mon Nov 16 21:57:15 2015
CURRENT 11.52.1.1     Mon Nov 16 21:57:15 2015
EDGE     11.53.9999.69     Tue Nov 10 22:47:27 2015

Change Logs
- https://documentatio...ALD/Change Logs
___

Notice: 11.46 Now EOL, 11.48 to EOL in 3 Months
cPanel & WHM software version 11.46 has now reached End of Life.
In accordance with our EOL policy http://go.cpanel.net/longtermsupport, 11.46 will continue functioning on servers. The last release of cPanel & WHM 11.46, 11.46.4.0, will remain on our mirrors indefinitely. However, no further updates, such as security fixes and installations, will be provided for 11.46. Older releases of cPanel & WHM 11.46 will be removed from our mirrors.
cPanel & WHM 11.48 is set to reach End of Life at the end of January 2016.
We recommend that all customers migrate any existing installations of cPanel & WHM 11.48 to a newer version (either 11.50 or 11.52).

>> https://documentatio...sesofcPanel
___

cPanel TSR-2015-0006 Full Disclosure
- http://news.cpanel.c...ull-disclosure/
Nov 17, 2015 - "Description: A reseller account could read the comet data intended for the root account and other reseller accounts by subscribing to the wildcard comet channel. Webmail users could similarly read data intended for the cPanel account to which they belonged. All comet data in cPanel, WHM, and Webmail is now restricted to the specific account that created the data...
Solution: This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8 ...

Description: The configured email rate limits for an account were not enforced correctly when the account relayed email using an empty envelope sender address...
Solution: This issue is resolved in the following builds:
11.52.1.1
11.52.0.23
11.50.3.1
11.48.4.8 ...

More... see the cPanel URL above.
 

Edited by AplusWebMaster, 17 November 2015 - 04:42 PM.

[AplusWebMaster]

FYI...

11.48 to EOL in 2 Months
- http://news.cpanel.c...ol-in-2-months/
Dec 7, 2015 - "cPanel & WHM 11.48 is set to reach End of Life at the end of January 2016. In accordance with our EOL policy*, 11.48 will continue functioning on servers. However, no further updates, such as security fixes and installations, will be provided for 11.48 after it reaches EOL. We recommend that all customers migrate any existing installations of cPanel & WHM 11.48 to a newer version (either 11.50 or 11.52)..."
*  https://documentatio...?pageId=1507947

 

Edited by AplusWebMaster, 09 December 2015 - 08:07 AM.

[AplusWebMaster]

FYI...

cPanel & WHM 54
- https://news.cpanel....n-current-tier/
Jan 4, 2016 - "cPanel, Inc. has released cPanel & WHM software version 54, which is now available in the CURRENT tier. In a departure from our usual version number, we’ve dropped the “11” from cPanel & WHM releases. This change provides increased clarity for our partners and users while more accurately reflecting the product’s progression..."

54 Release Notes
- https://documentatio...4 Release Notes
Jan 05, 2016

Change Logs
- https://documentatio...D/54 Change Log

> http://httpupdate.cpanel.net/
 

[AplusWebMaster]

FYI...

cPanel TSR-2016-0001 Announcement
- https://news.cpanel....1-announcement/
2016-01-18 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system... The following cPanel & WHM versions address all known vulnerabilities:
11.54.0.4 & Greater
11.52.2.4 & Greater
11.50.4.3 & Greater
11.48.5.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net "

> https://securedownloads.cpanel.net/
 

[AplusWebMaster]

FYI...

cPanel TSR-2016-0001 Full Disclosure
- https://news.cpanel....ull-disclosure/
Jan 26, 2016
(Full list at the URL above.)

> https://news.cpanel....-Disclosure.txt
___

>> https://news.cpanel....egory/security/

Important Information for Manage2 Users
- https://news.cpanel....-manage2-users/
Jan 23, 2016 - "... one of our user databases may have been breached. Although we successfully interrupted the breach, it is still possible that user contact information may have been susceptible. The customer contact information that may have been susceptible is limited to names, contact information, and encrypted (and salted) passwords. Please note that our credit card information is stored in a separate system designed for credit card storage and is not impacted by this possible breach. Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords. It is important to highlight that this incident was not related to cPanel products or the Targeted Security Release published on January 18th. We apologize for any inconvenience this may cause.
Please go to the Manage2 login page and click the forgot password link*. Please don’t hesitate to contact cPanel Customer Service if you need help resetting your password...
PGP Signed version of this document here:
- https://news.cpanel....unication-1.txt "

Important Information for cPanel Store Users
- https://news.cpanel....el-store-users/
Jan 23, 2016 - "... Please go to the cPanel Store login page** and click the forgot password link..."

* https://manage2.cpanel.net/

** https://store.cpanel.net/login/
 

Edited by AplusWebMaster, 26 January 2016 - 09:08 PM.

[AplusWebMaster]

FYI...

cPanel Security Team: glibc CVE-2015-7547
- https://news.cpanel....-cve-2015-7547/
Feb 17, 2016 - "CVE-2015-7547 is a critical vulnerability in glibc affecting any versions greater than 2.9. The DNS client side resolver function getaddrinfo() used in the glibc library is vulnerable to a stack-based buffer overflow attack. This can be exploited in a variety of scenarios, including man-in-the-middle attacks, maliciously crafted domain names, and malicious DNS servers.
What does this mean for cPanel servers?
The glibc library is provided by your operating system vendor, which is one of Red Hat, CentOS, or Cloud Linux. All supported distros have published patched versions of glibc to their mirrors to address CVE-2015-7547.
To update any affected servers, do the following:
1. Log into your server via SSH with root privileges
2. Run “yum clean all” to clear YUM’s local caches
3. Run “yum update” to install the patched version of glibc
4. After glibc is updated you should reboot the system to ensure all daemons load the newer version of the library.
You can ensure you are updated by running the command “rpm -q glibc”. The package information displayed should match the version numbers provided by Red Hat at:
- https://access.redha...rticles/2161461
Red Hat Enterprise Linux 7 – glibc-2.17-106.el7_2.4
Red Hat Enterprise Linux 6 – glibc-2.12-1.166.el6_7.7
Notifications about security updates for Red Hat, CentOS, and CloudLinux can be found at the following URLs:
Red Hat: http://www.redhat.co...o/rhsa-announce
CentOS: http://lists.centos....centos-announce
CloudLinux: http://cloudlinux.com/blog/
What steps do I need to take as an Admin/root of our servers running cPanel & WHM?
Once the RPM of glibc has been updated and the system rebooted, you are fully protected.
cPanel also recommends that you configure the system to automatically update both the base operating system and the cPanel & WHM software automatically. These settings are located in WHM’s “Update Preferences” interface.
For the PGP-Signed version of this announcement please see:
- http://news.cpanel.c...libc_notice.txt
___

- https://www.us-cert....c-Vulnerability
Feb 17, 2016
___

> https://web.nvd.nist...d=CVE-2015-7547-  8.1 High
Last revised: 02/19/2016

- https://isc.sans.edu...l?storyid=20737
2016-02-16 - "... The exploit will likely trigger a DNS lookup from a vulnerable system..."
 

Edited by AplusWebMaster, 22 February 2016 - 07:08 AM.

[AplusWebMaster]

FYI...

cPanel Security Team: exim CVE-2016-1531
- https://news.cpanel....-cve-2016-1531/
March 2, 2016
"Background Information: On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software.
Impact: According to Exim development: “All installations having Exim set-uid root and using ‘perl_startup’ are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally *any* user) can gain root privileges.”
Releases: The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim.
11.50 11.50.5.0
11.52 11.52.4.0
11.54 11.54.0.18
EDGE 11.55.9999.106
CURRENT 11.54.0.18
RELEASE 11.54.0.18
STABLE 11.54.0.18
How to determine if your server is up to date: The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:
rpm -q –changelog exim | grep CVE-2016-1531
The output should resemble below:
– – Fixes CVE-2016-1531
What to do if you are not up to date: If your server is not running one of the above versions, update immediately. You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking “Click to Upgrade”: https://documentatio...ate Preferences "
(More detail at the cpanel URL at the top of this post.)
 

[AplusWebMaster]

FYI...

cPanel TSR-2016-0002 Announcement
- https://news.cpanel....2-announcement/
March 21, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 8.5...
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
11.54.0.20 & Greater
11.52.4.1 & Greater
11.50.5.2 & Greater ...
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net "
___

cPanel TSR-2016-0002 Full Disclosure
- https://news.cpanel....ull-disclosure/
March 22, 2016
Description: Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own...
Solution: This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2 ..."

Change Logs
> https://documentatio...ALD/Change Logs
___

- http://www.securityt....com/id/1035427
Mar 29 2016
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 11.50.5.2, 11.52.4.1, 11.54.0.20 ...
Solution: The vendor has issued a fix (11.50.5.2, 11.52.4.1, 11.54.0.20)...
 

Edited by AplusWebMaster, 31 March 2016 - 07:36 AM.