EasyApache 21 February 2017 Maintenance Release

Posted by & filed under cPanel, Security.

SUMMARY
cPanel, Inc. has released EasyApache 3.34.12 with Apache version 2.2.32. This release addresses vulnerabilities related to CVE-2016-8743 and CVE-2016-5387. We strongly encourage all Apache 2.2 users to upgrade to version 2.2.32.

 

AFFECTED VERSIONS
All versions of Apache 2.2 through version 2.2.31

 

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

 

CVE-2016-8743 – MEDIUM
Apache 2.2.32
Fixed bug related to CVE-2016-8743

 

CVE-2016-5387 – MEDIUM
Apache 2.2.32
Additional HTTPOXY mitigation related to CVE-2016-5387

 

SOLUTION
cPanel, Inc. has released EasyApache 3.34.12 with an updated version of Apache 2.2.32. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8743
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5387
http://www.apache.org/dist/httpd/CHANGES_2.2.32



EasyApache 24 January 2017 Maintenance Release

Posted by & filed under cPanel, Security.

cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with PHP version 5.6.30, 7.0.15, and 7.1.1. This release addresses vulnerabilities related to CVE-2016-10161, CVE-2016-10162, CVE-2017-5340, CVE-2016-7479, CVE-2016-10158, CVE-2016-10159, and CVE-2016-10160. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.30, all PHP 7.0 users to upgrade to version 7.0.15, and all PHP 7.1 users to upgrade to version 7.1.1.

 

AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.29
All versions of PHP 7.0 through 7.0.14
All versions of PHP 7.1 through 7.1.0

 

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-10161 – MEDIUM
PHP 5.6.30
Fixed bug in Standard library related to CVE-2016-10161

PHP 7.0.15
Fixed bug in Core related to CVE-2016-10161

PHP 7.1.1
Fixed bug in Core related to CVE-2016-10161

CVE-2016-10162 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2016-10162

PHP 7.1.1
Fixed bug in Core related to CVE-2016-10162

CVE-2017-5340 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340

PHP 7.1.1
Fixed bug in Core related to CVE-2017-5340

CVE-2016-7479 – HIGH
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340

CVE-2016-10158 – MEDIUM
PHP 5.6.30
Fixed bug in Exif extension related to CVE-2016-10158

PHP 7.0.15
Fixed bug in Exif extension related to CVE-2016-10158

PHP 7.1.1
Fixed bug in Exif extension related to CVE-2016-10158

CVE-2016-10160 – HIGH
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10160

PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10160

PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10160

CVE-2016-10159 – MEDIUM
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10159

PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10159

PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10159

 

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with updated versions of PHP 5.6, 7.0, and 7.1. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

 

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5340
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10161
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10162
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7479
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10158
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10159
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10160
http://www.php.net/ChangeLog-7.php
http://www.php.net/ChangeLog-5.php


cPanel TSR-2017-0001 Full Disclosure

Posted by & filed under cPanel, Security.

cPanel TSR-2017-0001 Full Disclosure

SEC-196

Summary

Fixed password used for Munin MySQL test account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-197

Summary

Self-XSS in paper_lantern password change screen.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Certain form variables on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-198

Summary

Reflected XSS in reset password interfaces.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

The user form variable on the password change screen could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43

SEC-199

Summary

Self-XSS in webmail Password and Security page.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Description

Certain form variables on the webmail password and security page could be interpreted as javascript markup. This allowed an attacker to inject a malicious payload into the page.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-201

Summary

Arbitrary file read via Exim valiases.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)

Description

When processing the valiases for a user, Exim was running as the root user. By creating a valias that included other files, an attacker was able to read arbitrary files as the root user.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43

SEC-204

Summary

Exim piped filters ran as wrong user when delivering to a system user.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Description

Piped commands executed by the central_user_filter were run as the nobody user. Now the filters are run as the system user’s UID.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-205

Summary

Leech Protect did not protect certain directories.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description

The Leech Protect system allows admins to detect unusual amounts of activity on password protected directories. This system was not functioning on directories with a two character name.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-206

Summary

Exim transports could be run as the nobody user.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

It was possible to run exim transports as the nobody user if the receiving email domain was removed during delivery. Transports will now run as the proper user even if the domain no longer exists.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-207

Summary

Improper ACL checks in xml-api for Rearrange Account.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

Using the ‘fetch_transfer_session_log’ API, it was possible to fetch transfer information created by other resellers. This could reveal potentially sensitive information to an attacker.

Credits

This issue was discovered by RACK911Labs.com.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-209

Summary

SSL certificate generation in WHM used an unreserved email address.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

In WHM, if you generate a certificate using the “Generate an SSL Certificate and Signing Request” interface and select “When complete, email me the certificate, key, and CSR”, it used “admin@” as the from address. The account name “admin” is not reserved in cPanel & WHM, so if this account was created, it would intercept any replies or bounces.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-210

Summary

Account ownership not enforced by has_mycnf_for_cpuser WHM API call.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description

The has_mycnf_for_cpuser WHM API call did not verify the caller’s ownership of the specified account. This could allow for a limited amount of information about the user’s MySQL configuration to be leaked.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-211

Summary

Stored XSS Vulnerability in WHM Account Suspension List interface.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

When viewing the WHM Account Suspension List with the ‘nohtml’ flag enabled, the response to the browser was sent with the ‘Content-type’ header set to ‘test/html’. This caused text to be misinterpreted as html markup.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36

SEC-212

Summary

Format string injection vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description

The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Format strings in cgiemail templates are now restricted to simple %s, %U and %H sequences.
Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-213

Summary

WHM ‘enqueue_transfer_item’ API allowed resellers to queue non rearrange modules.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 2.1 (AV:N/AC:H/Au:S/C:N/I:N/A:P)

Description

The ‘enqueue_transfer_item’ API allowed resellers with the ‘rearrange-accts’ ACL to add items from arbitrary Whostmgr::Transfers::Session modules. This could have potentially allowed for a reseller with the ‘rearrange-accts’ ACL to initiate a remote transfer or perform other restricted operations.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43

SEC-214

Summary

Open redirect vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description

The cgiemail and cgiecho binaries served as an open redirect due to their handling of the “success” and “failure” parameters. These redirects are now limited to the domain that handled the request.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-215

Summary

HTTP header injection vulnerability in cgiemail.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

Case SEC-215: The handling of redirects in cgiemail and cgiecho did not protect against the injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

SEC-216

Summary

Reflected XSS vulnerability in cgiemail addendum handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

The “addendum” parameter was reflected without any escaping in success and error messages produced by cgiemail and cgiecho. This output is now html escaped.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/01/TSR-2017-0001.disclosure.signed.txt


cPanel TSR-2017-0001 Announcement

Posted by & filed under cPanel, Security.

cPanel TSR-2017-0001 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 6.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

11.62.0.4 & Greater
11.60.0.35 & Greater
11.58.0.43 & Greater
11.56.0.43 & Greater
11.54.0.36 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

SECURITY ISSUE INFORMATION

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 17 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, 11.56, and 11.54.

Additional information is scheduled for release on January 17, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
https://go.cpanel.net/versionformat

For the PGP-Signed version of this announcement please see: https://news.cpanel.com/wp-content/uploads/2017/01/TSR-2017-0001.announcement.signed.txt



cPanel TSR-2016-0001 Announcement

Posted by & filed under cPanel, Security.

cPanel TSR-2016-0001 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 10.0.

Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

 

RELEASES

The following cPanel & WHM versions address all known vulnerabilities:

11.54.0.4 & Greater
11.52.2.4 & Greater
11.50.4.3 & Greater
11.48.5.2 & Greater

The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.

 

SECURITY ISSUE INFORMATION

The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 20 vulnerabilities in cPanel & WHM software versions 11.54, 11.52, 11.50, and 11.48.

Due to the severity of the issues addressed in this release, cPanel is extending the blackout period on additional information to a full week. Additional information is scheduled for release on January 25, 2016.

For information on cPanel & WHM Versions and the Release Process, read our documentation at:
http://go.cpanel.net/versionformat

For the PGP Signed version of this announcement please visit https://news.cpanel.com/wp-content/uploads/2016/01/TSR-2016-0001-Announcement.txt


EasyApache 3.26.6 released to address multiple CVE security issues!

Posted by & filed under cPanel, Security.

cPanel, Inc. has released EasyApache 3.26.6 with PHP versions 5.4.32 and 5.5.16. This release addresses vulnerabilities CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120, CVE-2014-3597, CVE-2014-4670 and CVE-2014-4698. We encourage all PHP 5.4 users to upgrade to PHP version 5.4.32 and all PHP 5.5 users to upgrade to PHP version 5.5.16.

 

AFFECTED VERSIONS

All versions of PHP 5.4 before 5.4.32.
All versions of PHP 5.5 before 5.5.16.

 

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-3538 – MEDIUM

PHP 5.4.32
Fixed bug in the Fileinfo module related to CVE-2014-3538.

PHP 5.5.16
Fixed bug in the Fileinfo module related to CVE-2014-3538.

 

CVE-2014-3587 – MEDIUM

PHP 5.4.32
Fixed bug in the Fileinfo module related to CVE-2014-3587.

PHP 5.5.16
Fixed bug in the Fileinfo module related to CVE-2014-3587.

 

CVE-2014-2497 – MEDIUM

PHP 5.4.32
Fixed bug in the GD module related to CVE-2014-2497.

PHP 5.5.16
Fixed bug in the GD module related to CVE-2014-2497.

 

CVE-2014-5120 – MEDIUM

PHP 5.4.32
Fixed bug in the GD module related to CVE-2014-5120.

PHP 5.5.16
Fixed bug in the GD module related to CVE-2014-5120.

 

CVE-2014-3597 – MEDIUM

PHP 5.4.32
Fixed bug in the SPL module related to CVE-2014-3597.

PHP 5.5.16
Fixed bug in the SPL module related to CVE-2014-3597.

 

CVE-2014-4670 – MEDIUM

PHP 5.4.32
Fixed bug in the SPL module related to CVE-2014-4670.

 

CVE-2014-4698 – MEDIUM

PHP 5.4.32
Fixed bug in the SPL module related to CVE-2014-4698.

 

SOLUTION

cPanel, Inc. has released EasyApache 3.26.6 with updated version of PHP 5.4.32 and PHP 5.5.16 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

 

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3538
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3587
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2497
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3597
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4698
http://php.net/ChangeLog-5.php#5.4.32
http://php.net/ChangeLog-5.php#5.5.16


EasyApache 3.26.5 released to address libxml2 and php vulnerabilities

Posted by & filed under Security.

cPanel, Inc. has released EasyApache 3.26.5 with PHP version 5.3.29 and a patch to libxml2. This release addresses libxml2 vulnerability CVE-2014-0191 and PHP vulnerabilities CVE-2014-3981, CVE-2014-3515, CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237, and CVE-2014-4049 by fixing bugs in PHP’s core and PHP’s Network, Fileinfo and DateInterval modules. We encourage all PHP 5.3 users to upgrade to PHP version 5.3.29.

AFFECTED VERSIONS
All versions of PHP 5.3 before 5.3.29.
All versions of libxml2 before EasyApache version 3.26.5.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0191 – MEDIUM

libxml2
Fixed bug in the libxml2 library related to CVE-2014-0191.

CVE-2014-3981 – LOW

PHP 5.3.29
Fixed bug in the configure script related to CVE-2014-3981.

CVE-2014-3515 – HIGH

PHP 5.3.29
Fixed bug in the SPL component related to CVE-2014-3515.

CVE-2013-6712 – MEDIUM

PHP 5.3.29
Fixed bug in the DateInterval module related to CVE-2013-6712.

CVE-2014-0207 – MEDIUM

PHP 5.3.29
Fixed bug in the Fileinfo module related to CVE-2014-0207.

CVE-2014-0238 – MEDIUM

PHP 5.3.29
Fixed bug in the Fileinfo module related to CVE-2014-0238.

CVE-2014-0237 – MEDIUM

PHP 5.3.29
Fixed bug in the Fileinfo module related to CVE-2014-0237.

CVE-2014-4049 – MEDIUM

PHP 5.3.29
Fixed bug in the SPL module related to CVE-2014-4049.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.5 with an updated version of PHP 5.3.29 and a patch to libxml2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0191
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3981
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3515
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6712
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0207
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4049
http://php.net/ChangeLog-5.php#5.3.29


EasyApache 3.26.4 released to address mod_perl vulnerabilities

Posted by & filed under Security.

cPanel, Inc. has released EasyApache 3.26.4 with mod_perl version 2.0.8. This release fixes bugs related to vulnerability CVE-2013-1667 in the mod_perl2 Apache test suite.

AFFECTED VERSIONS
All versions of Perl 5.8.2 through 5.16.x

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-1667 – HIGH

mod_perl 2.0.8
Fixes bugs related to vulnerability CVE-2013-1667 in the mod_perl2 Apache test suite.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.4 with an updated version of the mod_perl Apache module to correct this issue. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1667
http://svn.apache.org/repos/asf/perl/modperl/tags/2_0_8/Changes