EasyApache 3.26.5 released to address libxml2 and php vulnerabilities

cPanel, Inc. has released EasyApache 3.26.5 with PHP version 5.3.29 and a patch to libxml2. This release addresses libxml2 vulnerability CVE-2014-0191 and PHP vulnerabilities CVE-2014-3981, CVE-2014-3515, CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237, and CVE-2014-4049 by fixing bugs in PHP’s core and PHP’s Network, Fileinfo and DateInterval modules. We encourage all PHP 5.3 users to upgrade to PHP version 5.3.29.

AFFECTED VERSIONS
All versions of PHP 5.3 before 5.3.29.
All versions of libxml2 before EasyApache version 3.26.5.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0191 – MEDIUM

libxml2
Fixed bug in the libxml2 library related to CVE-2014-0191.

CVE-2014-3981 – LOW

PHP 5.3.29
Fixed bug in the configure script related to CVE-2014-3981.

CVE-2014-3515 – HIGH

PHP 5.3.29
Fixed bug in the SPL component related to CVE-2014-3515.

CVE-2013-6712 – MEDIUM

PHP 5.3.29
Fixed bug in the DateInterval module related to CVE-2013-6712.

CVE-2014-0207 – MEDIUM

PHP 5.3.29
Fixed bug in the Fileinfo module related to CVE-2014-0207.

CVE-2014-0238 – MEDIUM

PHP 5.3.29
Fixed bug in the Fileinfo module related to CVE-2014-0238.

CVE-2014-0237 – MEDIUM

PHP 5.3.29
Fixed bug in the Fileinfo module related to CVE-2014-0237.

CVE-2014-4049 – MEDIUM

PHP 5.3.29
Fixed bug in the SPL module related to CVE-2014-4049.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.5 with an updated version of PHP 5.3.29 and a patch to libxml2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0191
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3981
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6712
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4049
http://php.net/ChangeLog-5.php#5.3.29

EasyApache 3.26.4 released to address mod_perl vulnerabilities

cPanel, Inc. has released EasyApache 3.26.4 with mod_perl version 2.0.8. This release fixes bugs related to vulnerability CVE-2013-1667 in the mod_perl2 Apache test suite.

AFFECTED VERSIONS
All versions of Perl 5.8.2 through 5.16.x

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-1667 – HIGH

mod_perl 2.0.8
Fixes bugs related to vulnerability CVE-2013-1667 in the mod_perl2 Apache test suite.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.4 with an updated version of the mod_perl Apache module to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1667
http://svn.apache.org/repos/asf/perl/modperl/tags/2_0_8/Changes

CentOS 7 is now available!

We’re pleased to announce the availability of CentOS 7 on all of our dedicated and cloud servers.  Cloud customers can easily deploy these new distributions using the cloud server manager within the customer portal.  Dedicated server customers who would like a fresh install should contact our support department to schedule the installation.

EasyApache 3.24.22 Released to address PHP vulnerabilities

cPanel, Inc. has released EasyApache 3.24.22 with PHP 5.4.30 and 5.5.14. This release addresses multiple PHP vulnerabilities in the PHP core code and the Fileinfo, Network, and SPL modules. We encourage all PHP users to upgrade to PHP 5.4.30 and PHP 5.5.14.

 

AFFECTED VERSIONS

All versions of PHP 5.4 before 5.4.30.
All versions of PHP 5.5 before 5.5.14.

 

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

 

CVE-2014-3981 – LOW

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the PHP core code related to CVE-2014-3981.

 

CVE-2014-0207 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-0207.

 

CVE-2014-3478 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3478.

 

CVE-2014-3479 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3479.

 

CVE-2014-3480 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3480.

 

CVE-2014-3487 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Fileinfo module related to CVE-2014-3487.

 

CVE-2014-4049 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the Network module related to CVE-2014-4049.

 

CVE-2014-3515 – MEDIUM

PHP 5.4.30 and PHP 5.5.14
Fixed bug in the SPL module related to CVE-2014-3515.

 

SOLUTION

cPanel, Inc. has released EasyApache 3.24.22 with an updated version of PHP 5.4 and PHP 5.5 to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

 

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3981

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3478

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3479

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3480

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3487

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4049

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515

http://www.php.net/ChangeLog-5.php#5.4.30

http://www.php.net/ChangeLog-5.php#5.5.14

ProVPS.com gets a facelift!

Some of you may or may not know but ProVPS.com was a site we launched back in 2004 that was dedicated to our virtual private server line.  After almost 10 years the ProVPS.com site has gotten a face lift and boy did it need it!  Check it out!  http://www.provps.com

EasyApache 3.24.19 released to address CVE-2014-0237 and CVE-2014-0238

cPanel, Inc. has released EasyApache 3.24.19 with PHP versions 5.5.13 and 5.4.29. This release addresses the PHP vulnerabilities CVE-2014-0237 and CVE-2014-0238 with fixes to bugs in the fileinfo extension. We encourage all PHP users to upgrade to PHP version 5.5.13 or PHP version 5.4.29.

 

AFFECTED VERSIONS

All versions of PHP version 5.5 before 5.5.13.
All versions of PHP version 5.4 before 5.4.29.

 

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

 

CVE-2014-0237 – MEDIUM

PHP 5.5.13
Fixed bug in the fileinfo extension related to CVE-2014-0237.

PHP 5.4.29
Fixed bug in the fileinfo extension related to CVE-2014-0237.

 

CVE-2014-0238 – MEDIUM

PHP 5.5.13
Fixed bug in the fileinfo extension related to CVE-2014-0238.

PHP 5.4.29
Fixed bug in the fileinfo extension related to CVE-2014-0238.

 

SOLUTION

cPanel, Inc. has released EasyApache 3.24.19 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

 

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238

http://www.php.net/ChangeLog-5.php#5.4.29

http://www.php.net/ChangeLog-5.php#5.5.13

cPanel TSR-2014-0004 Security Announcement

TSR-2014-0004

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having security impact levels ranging from Minor to Important.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

* 11.43.0.12 & Greater
* 11.42.1.16 & Greater
* 11.40.1.14 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 52 vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40.

Additional information is scheduled for release on May 26th, 2014.

CloudLinux now available on our cloud servers

 

We are pleased to announce that CloudLinux 6 is now available on our cloud server platform.  CloudLinux is another spin off of the popular RHEL/CENTOS operating system but with stability, security, and density in mind.  CloudLinux is not a free operating system and does require a monthly license.  We can provide this license for $12.00 per month.  If you are running an existing CentOS 6 server and would like to convert to CloudLinux this can also be done easily with a simple conversion script written by the CloudLinux Team.  The only downtime required for this conversion is for the reboot required once the conversion has finished.  Further information regarding CloudLinux can be found at www.cloudlinux.com or you can contact our team directly.  Additional information can also be found below!

 

Why CloudLinux?

Created in 2009, CloudLinux became the first commercially supported OS specifically designed for shared hosting providers. In its four years in the marketplace, CloudLinux has received numerous awards and has been praised by hundreds of shared hosting providers for resolving their stability problems. Web Hosting Search called it “The perfect OS for shared hosting.” It is no wonder that today more than 1,000 companies successfully use CloudLinux on their servers. It is installed on more than 10,000 servers worldwide.  CloudLinux is a proven solution for shared hosting that drastically improves server stability and security, increases density, decreases support costs, and prevents churn. It sounds like magic, but CloudLinux delivers these benefits by introducing the latest technologies specifically crafted for shared hosting into its kernel. Combine these features with all its tools and integrate them with major control panels and it becomes a must-have for any shared hosting provider.

 

CloudLinux benefits: 

  • Isolates users from each other to avoid the “bad neighbor effect”
  • Prevents users from seeing configuration files and other private information
  • Allows end user to select PHP versions 4.4, 5.2, 5.3, 5.4, and 5.5
  • Gives the power to monitor and control limits such as CPU, IO, Memory, and others
  • Helps restrict and throttle MySQL database abusers
  • Compatible with all major control panels
  • Interchangeable with CentOS and RHEL.

 

CloudLinux Technology

Lightweight Virtual Environment (LVE) is a kernel-based isolation technology that limits and controls the amount of resources (CPU, memory, number of processes, and IO) available to a specific user. This allows for improved stability and enhanced reliability. LVE will control web, cron jobs, and shell access, creating a protective bubble around each customer and preventing each customer from abusing the server.

CageFS extends LVE isolation to each user’s file system. Through virtualization, each user’s file system is effectively isolated into its own environment to prevent one user from seeing any other users or their files on the server. This creates a new level of security, making it much more difficult for hackers to attack, deface, or steal data from a shared hosting server. Additionally, it guarantees no SUID scripts are available to the end customer, preventing the majority of privilege escalation attacks. CageFS provides all of this while also providing a fully functional environment for web, cron jobs, and shell.

PHP Selector: With CloudLinux, our customers will have the flexibility to choose the PHP version they need. That includes versions 4.4, 5.2, 5.3, 5.4 and 5.5 as well as more than 50 PHP extensions and the ability to adjust php.ini settings.


MySQL Governor monitors MySQL usage and detects abusers, restricting their connectivity if they start using more than their allocated resources. This tool comes with a utility to view current usage that provides unprecedented visibility of and control over MySQL usage, significantly diminishing the number of support issues caused by MySQL abuse.

SecureLinks is a kernel-level technology that prevents all known symbolic link attacks, which enhances the security level of the servers even further.

All these features, in addition to regular technical updates and exceptional 24/7 support, make CloudLinux a great value. 

Debian 7.4 and Ubuntu 14.04 are now available!

We’re pleased to announce the availability of Debian 7.4 and Ubuntu 14.04 on all of our dedicated and cloud servers.  Cloud customers can easily deploy these new distributions using the cloud server manager within the customer portal.  Dedicated server customers who would like a fresh install should contact our support department to schedule the installation.  These distributions are available in both 32 bit and 64 bit flavors.

Heartbleed OpenSSL Vulnerability (CVE-2014-0160)

On April 7, 2014 a vulnerability was discovered in OpenSSL that could allow attackers to view sensitive information stored in memory. Given the severity of this vulnerability we are encouraging all customers to take the necessary steps to verify their OpenSSL installations are patched and not vulnerable. Most Linux distributions these days come with a package manager (ex: yum, apt).  If you are running a supported Linux distribution (one that is not End-of-Life) you can simply use the provided package manager to update your OpenSSL installation.  If you have built OpenSSL from source, or built any other applications that use OpenSSL from source (ex: Apache) you will need to first upgrade OpenSSL, and then recompile those applications.  If you are running the cPanel/WHM software on your server and are running RHEL/CentOS 6.5 chances are you are vulnerable!  You should first run a “yum update” and then rebuild Apache using Easy Apache in the WHM under WHM > Software > EasyApache or from the CLI using /scripts/easyapache.

 

If you have any questions, concerns, or need assistance please open a support ticket at https://helpdesk.ndchost.com/