46 replies to this topic

[AplusWebMaster]

FYI...

cPanel & WHM 56
- https://news.cpanel....n-release-tier/
April 26, 2016 - "cPanel, Inc. has released cPanel & WHM software version 56, which is now available in the RELEASE tier*..."

* https://documentatio...-Term%20Support
___

- https://myonlinesecu...4-x-to-11-56-x/
April 26, 2016

>> https://forums.cpanel.net/
 

Edited by AplusWebMaster, 29 April 2016 - 08:55 AM.

[AplusWebMaster]

FYI...

cPanel Security Team – CVE-2016-3714 ImageMagick
- https://news.cpanel....14-imagemagick/
May 4, 2016 - "... ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software package commonly used by web services to process images.
Impact: One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE)..."
(Mitigation and more info at the URL above.)

> https://web.nvd.nist...d=CVE-2016-3714
Last revised: 05/06/2016
10.0 HIGH

- https://documentatio...714 ImageMagick

- https://www.us-cert....k-Vulnerability
Last revised: May 05, 2016
___

> https://blog.qualys....sday-may-2015-2
May 10, 2016 - "... a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file..."
 

Edited by AplusWebMaster, 10 May 2016 - 11:52 AM.

[AplusWebMaster]

FYI...

cPanel TSR-2016-0003
- https://news.cpanel....3-announcement/
May 16, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 7.6... If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
11.56.0.15 & Greater
11.54.0.24 & Greater
11.52.6.1 & Greater
11.50.6.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
>  http://httpupdate.cpanel.net
... Additional information is scheduled for release on May 17, 2016..."
___

cPanel TSR-2016-0003 Full Disclosure
- https://news.cpanel....ull-disclosure/
May 17, 2016
Summary: SQLite journal allowed for arbitrary file overwrite during Horde Restore.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 6.6 (AV:N/AC:H/Au:S/C:C/I:C/A:N)
Description: During a Horde restore using the old-style CSV data files, the SQLite database is opened as the user. However, actual writes were done as root, and SQLite does not open the journal file until these writes are made. This allowed the journal file to be opened as the root user permitting arbitrary files to be overwritten...
 

Edited by AplusWebMaster, 17 May 2016 - 12:50 PM.

[AplusWebMaster]

FYI...

cPanel TSR-2016-0004
- https://news.cpanel....4-announcement/
July 18, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 1.0 to 6.8...
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
11.58.0.4 & Greater
11.56.0.27 & Greater
11.54.0.26 & Greater
11.52.6.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION: The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses -7- vulnerabilities in cPanel & WHM software versions 11.58, 11.56, 11.54, and 11.52. Additional information is scheduled for release on July 19, 2016..."
___

cPanel TSR-2016-0004 Full Disclosure
- https://news.cpanel....ull-disclosure/
July 19, 2016
 

Edited by AplusWebMaster, 20 July 2016 - 04:22 AM.

[AplusWebMaster]

FYI...

cPanel & WHM 58
- https://news.cpanel....in-stable-tier/
Aug 23, 2016 - "cPanel, Inc. has released cPanel & WHM software version 58, which is now available in the STABLE tier*..."
* https://documentatio...ng-Term Support
 

[AplusWebMaster]

FYI...

cPanel TSR-2016-0005 Announcement
- https://news.cpanel....5-announcement/
Sep 19, 2016 - cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 4.3 to 6.3.
Information on cPanel’s security ratings is available at
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
11.58.0.29 & Greater
11.56.0.34 & Greater
11.54.0.29 & Greater
11.52.6.6 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net
Additional information is scheduled for release on September 20, 2016.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:

- https://go.cpanel.net/versionformat
___

cPanel TSR-2016-0005 Full Disclosure
- https://news.cpanel....ull-disclosure/
Sep 20, 2016 - "SEC-141 - Summary:
Code execution as other accounts via mailman list archives.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Description: The sticky-group bit applied to mailman’s list archive directories allowed list owners to modify the contents of these directories. This could be used to execute arbitrary code as other accounts on the system...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6
SEC-152 - Summary:
Arbitrary code execution due to faulty shebang in Mail::SPF scripts.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description: The scripts provided with the Mail::SPF Perl module in cPanel & WHM used /usr/bin/perl rather than /usr/local/cpanel/3rdparty/bin/perl as their interpreter. If executed in an unsafe directory, this could cause untrusted code to load and execute...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6
SEC-154 - Summary:
Arbitrary file read due to multipart form processing error.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N)
Description: The Cpanel::Form::parseform() function was found to mishandle some invalid combinations of multipart form data in ways that allowed the reading of arbitrary files in several WHM interfaces...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6
SEC-156 - Summary:
Stored XSS Vulnerability in WHM tail_upcp2.cgi interface.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description: The tail_upcp2.cgi script displays the log output of the cPanel & WHM update process. The output includes portions of log files that contain untrusted data. In some cases, this untrusted output was not properly escaped...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6 ..."
 

Edited by AplusWebMaster, 20 September 2016 - 01:59 PM.

[AplusWebMaster]

FYI...

cPanel & WHM Version 11.52 Now End of Life...
Version 54 at the End of Jan. 2017
- https://news.cpanel....nd-of-jan-2017/
Oct 31, 2016 - "cPanel version 11.52 reached End of Life September 30th, 2016. In accordance with our EOL policy
( https://go.cpanel.com/longtermsupport) 11.52 will continue functioning on servers where it is already installed. The last release of cPanel & WHM 11.52, 11.52.6.6, will remain on our mirrors indefinitely. However, no further updates, such as security fixes and installations, will be provided for 11.52. Older releases of cPanel & WHM 11.52 will be removed from our mirrors.
cPanel & WHM version 54 will reach End of Life at the end of January, 2017. In accordance with our EOL policy ( https://go.cpanel.com/longtermsupport), 54 will continue functioning on servers where it is already installed. However, no further updates, such as security fixes and installations, will be provided for 54 after it reaches EOL.
We recommend that all customers migrate any existing installations of cPanel & WHM 54 to version 60, which you can read more about at the cPanel release site https://releases.cpanel.com
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.com/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more."
 

[AplusWebMaster]

FYI...

cPanel TSR-2016-0006 Announcement
- https://news.cpanel....6-announcement/
Nov 21, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 1.7 to 7.1.
Information on cPanel’s security ratings is available at:
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
11.60.0.25 & Greater
11.58.0.37 & Greater
11.56.0.39 & Greater
11.54.0.33 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION:
The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 26 vulnerabilities in cPanel & WHM software versions 11.60, 11.58, 11.56, and 11.54. Additional information is scheduled for release on November 22, 2016..."
___

cPanel TSR-2016-0006 Full Disclosure
- https://news.cpanel....ull-disclosure/
Nov 22, 2016
- https://news.cpanel.....disclosure.txt
 

Edited by AplusWebMaster, 22 November 2016 - 03:04 PM.

[AplusWebMaster]

FYI...

cPanel TSR-2017-0001
- https://news.cpanel....1-announcement/
Jan 16, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 6.8.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
62.0.4 & Greater
60.0.35 & Greater
58.0.43 & Greater
56.0.43 & Greater
54.0.36 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 17 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, 11.56, and 11.54.
Additional information is scheduled for release on January 17, 2017..."
___

TSR-2017-0001 Full Disclosure
- https://news.cpanel....ull-disclosure/
Jan 17, 2017 - "SEC-196 - SEC-216
Solution: ... resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36 ..."
 

Edited by AplusWebMaster, 17 January 2017 - 02:19 PM.

[AplusWebMaster]

FYI...

cPanel TSR-2017-0002 Announcement
- https://news.cpanel....2-announcement/
March 20, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.4 to 8.8. Information on cPanel’s security ratings is available at:

- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
11.62.0.17 & Greater
11.60.0.39 & Greater
11.58.0.45 & Greater
11.56.0.46 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:

- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 15 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, and 11.56.
Additional information is scheduled for release on March 21, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
- https://go.cpanel.net/versionformat "
___

cPanel TSR-2017-0002 Full Disclosure
- https://news.cpanel....ull-disclosure/
March 21, 2017
 

Edited by AplusWebMaster, 21 March 2017 - 04:00 PM.

[AplusWebMaster]

FYI...

cPanel TSR-2017-0003 Announcement
- https://news.cpanel....3-announcement/
May 15, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 8.8. Information on cPanel’s security ratings is available at:
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
64.0.21 & Greater
62.0.24 & Greater
60.0.43 & Greater
58.0.49 & Greater
56.0.49 & Greater ...
cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 24 vulnerabilities in cPanel & WHM software versions 64, 62, 60, 58, and 56. Additional information is scheduled for release on May 16, 2017..."
___

cPanel TSR-2017-0003 Disclosure Delay
- https://news.cpanel....sclosure-delay/
May 16, 2017 - "We are delaying the cPanel TSR-2017-0003 Disclosure for an additional 24 hours. The Disclosure will now be published May 17, 2017."
___

cPanel TSR-2017-0003 Full Disclosure
- https://news.cpanel....ull-disclosure/
May 17, 2017
 

Edited by AplusWebMaster, 18 May 2017 - 04:41 AM.

[AplusWebMaster]

FYI...

cPanel TSR-2017-0004
- https://news.cpanel....4-announcement/
July 17, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 5.0...
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
66.0.2 & Greater
64.0.33 & Greater
62.0.27 & Greater
60.0.45 & Greater
58.0.52 & Greater
56.0.51 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.
SECURITY ISSUE INFORMATION: The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses -18- vulnerabilities in cPanel & WHM software versions 66, 64, 62, 60, 58, and 56.
Additional information is scheduled for release on July 18, 2017."
___

- https://news.cpanel....ull-disclosure/
July 18, 2017
 

Edited by AplusWebMaster, 18 July 2017 - 07:12 PM.

[AplusWebMaster]

FYI...

cPanel & WHM Version 66
- https://news.cpanel....-66-to-release/
Aug 22, 2017 - "cPanel, Inc. has released cPanel & WHM version 66 to the RELEASE tier*. Below are a few of the new features in this version.
> New Feature: Remote Incremental Backups
In v66 you can easily store your Incremental Backups remotely using our new Rsync backup destination.
In fact, we have made many improvements to our backup..."
> https://blog.cpanel....paign=66release

Release notes: https://documentatio...6 Release Notes

* https://documentatio...ersReleasetiers
 

[AplusWebMaster]

FYI...

cPanel TSR-2017-0005
- https://news.cpanel....5-announcement/
Sep 18, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 7.8...
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
66.0.23 & Greater
64.0.40 & Greater
62.0.30 & Greater
60.0.48 & Greater
56.0.52 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 11 vulnerabilities in cPanel & WHM software versions 66, 64, 62, 60, and 56...
___

cPanel TSR-2017-0005 Full Disclosure
- https://news.cpanel....ull-disclosure/
Sep 19, 2017
 

Edited by AplusWebMaster, 19 September 2017 - 01:46 PM.

[AplusWebMaster]

FYI...

cPanel & WHM Version 68 in RELEASE
- https://news.cpanel....-68-in-release/
Nov 1, 2017

- https://documentatio...ate Preferences
___

cPanel & WHM Versions 56 & 60 Now EOL
- https://news.cpanel....-56-60-now-eol/
Oct 31, 2017