EasyApache 3.24.22 Released to address PHP vulnerabilities

Posted by & filed under Security.

cPanel, Inc. has released EasyApache 3.24.22 with PHP 5.4.30 and 5.5.14. This release addresses multiple PHP vulnerabilities in the PHP core code and the Fileinfo, Network, and SPL modules. We encourage all PHP users to upgrade to PHP 5.4.30 and PHP 5.5.14.

 

AFFECTED VERSIONS

All versions of PHP 5.4 before 5.4.30.
All versions of PHP 5.5 before 5.5.14.

 

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

 

CVE-2014-3981 – LOW

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the PHP core code related to CVE-2014-3981.

 

CVE-2014-0207 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-0207.

 

CVE-2014-3478 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3478.

 

CVE-2014-3479 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3479.

 

CVE-2014-3480 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3480.

 

CVE-2014-3487 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3487.

 

CVE-2014-4049 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Network module related to CVE-2014-4049.

 

CVE-2014-3515 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the SPL module related to CVE-2014-3515.

 

SOLUTION

cPanel, Inc. has released EasyApache 3.24.22 with an updated version of PHP 5.4 and PHP 5.5 to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

 

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3981

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3478

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3479

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3480

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3487

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4049

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515

http://www.php.net/ChangeLog-5.php#5.4.30

http://www.php.net/ChangeLog-5.php#5.5.14



EasyApache 3.24.19 released to address CVE-2014-0237 and CVE-2014-0238

Posted by & filed under Security.

cPanel, Inc. has released EasyApache 3.24.19 with PHP versions 5.5.13 and 5.4.29. This release addresses the PHP vulnerabilities CVE-2014-0237 and CVE-2014-0238 with fixes to bugs in the fileinfo extension. We encourage all PHP users to upgrade to PHP version 5.5.13 or PHP version 5.4.29.

 

AFFECTED VERSIONS

All versions of PHP version 5.5 before 5.5.13.
All versions of PHP version 5.4 before 5.4.29.

 

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

 

CVE-2014-0237 – MEDIUM

PHP 5.5.13
Fixed bug in the fileinfo extension related to CVE-2014-0237.

PHP 5.4.29
Fixed bug in the fileinfo extension related to CVE-2014-0237.

 

CVE-2014-0238 – MEDIUM

PHP 5.5.13
Fixed bug in the fileinfo extension related to CVE-2014-0238.

PHP 5.4.29
Fixed bug in the fileinfo extension related to CVE-2014-0238.

 

SOLUTION

cPanel, Inc. has released EasyApache 3.24.19 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

 

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238

http://www.php.net/ChangeLog-5.php#5.4.29

http://www.php.net/ChangeLog-5.php#5.5.13


cPanel TSR-2014-0004 Security Announcement

Posted by & filed under Security.

TSR-2014-0004

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.43.0.12 & Greater
* 11.42.1.16 & Greater
* 11.40.1.14 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 52 vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40.

Additional information is scheduled for release on May 26th, 2014.


CloudLinux now available on our cloud servers

Posted by & filed under Cloud Servers.

 

We are pleased to announce that CloudLinux 6 is now available on our cloud server platform.  CloudLinux is another spin off of the popular RHEL/CENTOS operating system but with stability, security, and density in mind.  CloudLinux is not a free operating system and does require a monthly license.  We can provide this license for $12.00 per month.  If you are running an existing CentOS 6 server and would like to convert to CloudLinux this can also be done easily with a simple conversion script written by the CloudLinux Team.  The only downtime required for this conversion is for the reboot required once the conversion has finished.  Further information regarding CloudLinux can be found at www.cloudlinux.com or you can contact our team directly.  Additional information can also be found below!

 

Why CloudLinux?

Created in 2009, CloudLinux became the first commercially supported OS specifically designed for shared hosting providers. In its four years in the marketplace, CloudLinux has received numerous awards and has been praised by hundreds of shared hosting providers for resolving their stability problems. Web Hosting Search called it “The perfect OS for shared hosting.” It is no wonder that today more than 1,000 companies successfully use CloudLinux on their servers. It is installed on more than 10,000 servers worldwide.  CloudLinux is a proven solution for shared hosting that drastically improves server stability and security, increases density, decreases support costs, and prevents churn. It sounds like magic, but CloudLinux delivers these benefits by introducing the latest technologies specifically crafted for shared hosting into its kernel. Combine these features with all its tools and integrate them with major control panels and it becomes a must-have for any shared hosting provider.

 

CloudLinux benefits: 

  • Isolates users from each other to avoid the “bad neighbor effect”
  • Prevents users from seeing configuration files and other private information
  • Allows end user to select PHP versions 4.4, 5.2, 5.3, 5.4, and 5.5
  • Gives the power to monitor and control limits such as CPU, IO, Memory, and others
  • Helps restrict and throttle MySQL database abusers
  • Compatible with all major control panels
  • Interchangeable with CentOS and RHEL.

 

CloudLinux Technology

Lightweight Virtual Environment (LVE) is a kernel-based isolation technology that limits and controls the amount of resources (CPU, memory, number of processes, and IO) available to a specific user. This allows for improved stability and enhanced reliability. LVE will control web, cron jobs, and shell access, creating a protective bubble around each customer and preventing each customer from abusing the server.

CageFS extends LVE isolation to each user’s file system. Through virtualization, each user’s file system is effectively isolated into its own environment to prevent one user from seeing any other users or their files on the server. This creates a new level of security, making it much more difficult for hackers to attack, deface, or steal data from a shared hosting server. Additionally, it guarantees no SUID scripts are available to the end customer, preventing the majority of privilege escalation attacks. CageFS provides all of this while also providing a fully functional environment for web, cron jobs, and shell.

PHP Selector: With CloudLinux, our customers will have the flexibility to choose the PHP version they need. That includes versions 4.4, 5.2, 5.3, 5.4 and 5.5 as well as more than 50 PHP extensions and the ability to adjust php.ini settings.


MySQL Governor monitors MySQL usage and detects abusers, restricting their connectivity if they start using more than their allocated resources. This tool comes with a utility to view current usage that provides unprecedented visibility of and control over MySQL usage, significantly diminishing the number of support issues caused by MySQL abuse.

SecureLinks is a kernel-level technology that prevents all known symbolic link attacks, which enhances the security level of the servers even further.

All these features, in addition to regular technical updates and exceptional 24/7 support, make CloudLinux a great value. 


Debian 7.4 and Ubuntu 14.04 are now available!

Posted by & filed under Cloud Servers, Dedicated Servers.

We’re pleased to announce the availability of Debian 7.4 and Ubuntu 14.04 on all of our dedicated and cloud servers.  Cloud customers can easily deploy these new distributions using the cloud server manager within the customer portal.  Dedicated server customers who would like a fresh install should contact our support department to schedule the installation.  These distributions are available in both 32 bit and 64 bit flavors.


Heartbleed OpenSSL Vulnerability (CVE-2014-0160)

Posted by & filed under Security.

On April 7, 2014 a vulnerability was discovered in OpenSSL that could allow attackers to view sensitive information stored in memory. Given the severity of this vulnerability we are encouraging all customers to take the necessary steps to verify their OpenSSL installations are patched and not vulnerable. Most Linux distributions these days come with a package manager (ex: yum, apt).  If you are running a supported Linux distribution (one that is not End-of-Life) you can simply use the provided package manager to update your OpenSSL installation.  If you have built OpenSSL from source, or built any other applications that use OpenSSL from source (ex: Apache) you will need to first upgrade OpenSSL, and then recompile those applications.  If you are running the cPanel/WHM software on your server and are running RHEL/CentOS 6.5 chances are you are vulnerable!  You should first run a “yum update” and then rebuild Apache using Easy Apache in the WHM under WHM > Software > EasyApache or from the CLI using /scripts/easyapache.

 

If you have any questions, concerns, or need assistance please open a support ticket at https://helpdesk.ndchost.com/


Public CentOS Mirror

Posted by & filed under Announcements.

For a long time now we’ve had a private CentOS mirror, this mirror was really only used internally for new deploys. Today that mirror has been made public and is now accessible to the world! The main problem with a private mirror was that servers would only use it if told to do so. Since we did not want to mess with CentOS’s default yum configuration we would leave them untouched and this private mirror would remain mostly idle. Now that our mirror is public your servers might actually start using our internal mirror. Unfortunately the CentOS mirror list when queried only provides 10-20 mirrors located in the same country the IP space is located in. This means that your server will only use the local mirror by luck of the draw. Karanbir from CentOS has told us that this will eventually change, the plans are to have a system that’s smart and will choose the closest mirror based on the ASN. Until then, your servers will continue to choose whatever mirrors they are dealt!


Connectivity Issues

Posted by & filed under Announcements.

At 20:04 (PST) we started receiving alarms showing saturation of the Time Warner Telecom peer.  Further investigation showed that a DDOS attack was aimed at our network and was mainly flowing down the TWTC path.  After analyzing the traffic filters where put in place and traffic coming down TWTC returned to normal.


New linux distributions available in the VPS manager!

Posted by & filed under Announcements, Products and Services.

We’ve added a few more Linux distributions to our arsenal!

CentOS 5.6 – This is a maintenance release upgrading our previous image to the latest version of the CentOS 5 tree. In addition we also added the yum-fastestmirror and perl packages to this image. For more information about this Linux distribution go to http://www.centos.org

Scientific Linux 6.0 – For more information about this Linux distribution go to http://www.scientificlinux.org

Mandriva 2010.1 – For more information about this Linux distribution go to http://www.mandriva.com

Fedora Core 15 - For more information about this Linux distribution go to http://fedoraproject.org