New Apache Vulnerability
This should probably be posted in Bugzilla, but I wanted to make sure that this was an issue that affected CPanel first. Looks like there is a new bug in Apache, specifically in mod_rewrite:
http://secunia.com/advisories/21197
The recommended solution is to upgrade to Apache 1.3.37. It would appear that easyapache is at 1.3.36. I wasn't sure if this affected CPanel's Apache (I would think that it does) or exactly how serious this is.
This is listed in Bugzilla at:
http://bugzilla.cpanel.net/show_bug.cgi?id=4433
One more time, Cpanel Team, don't work for security on Cpanel/WHM.
Expensive panel qith several problems of security issues.
http://bugzilla.cpanel.net/show_bug.cgi?id=4433 has 48 hours.
Security Advisore more 3 days.
Explot calisfied CRITICAL.
Please, Cpanel Team, more hard work on Security Issues.
Advisorie of Apche Foundation:
This issue has been rated as having important security impact by the Apache HTTP Server Security Team.onto http://www.apache.org/dist/httpd/Announcement1.3.html
Last edited by speckados; 08-02-2006 at 03:18 AM.
Just a note, I ran easyapache this morning on a test server and it appears that 1.3.37 is being compiled now. Someone else may want to verify this and make sure 1.3.37 is installing. I'm not aware of any official word from CPanel, so I might proceed with caution regarding the upgrade, but I did want to let everyone know that it appears 1.3.37 is available now.
Yes apache 1.3.37 is now in easyapache
Under which tree is it available? EDGE?
thats not the only bug i discovered bugs in openssl and can be exploted to gain root level access.
oh well
hope they fix it
Might as well add php 4.4.3 support to the gripes list:
http://secunia.com/advisories/21328/
GlowHost.com | Professional Managed Web Hosting Since 2002.
>> Fully Managed Dedicated, Cloud VDS, Reseller & Semi-Dedicated
>> Cloud Servers for Enterprise
As fas as I know the Apache version is indepdent of your CPanel build. So it doesn't matter what CPanel tree you are using, easyapache will install the same version of Apache for each build. I may be wrong in that regard. At any rate, I'm using Release and 1.3.37 is in it.
I'm on the stable release tree and it will only compile 1.3.36. Any way to get 1.3.37 into the stable release tree?
Sorry, I guess I should have been more clear. I'm using the stable version, NOT release.
Just re-compiled Apache on one of our client's servers and I got:Originally Posted by gahelm
Server: cPanel [10.8.2-RELEASE_119]Server version: Apache/1.3.37 (Unix)
Server built: Aug 3 2006 16:46:36
Andy Reed
CCNA, RHCE, and Ubuntu Technologist
ServerTune.com
Hey all,
Does is cause any problems if you were to just manually configure any software like apache or php together manually rather then using cPanel? Will cPanel have any issues?
Thanks,
Russ
I don't know about Apache, but I always compile PHP separately. This is mainly because I want to do more customization to my PHP installs.
One quick tidbit, if you run easyapache, you can unselect PHP so that it is not checked, then easyapache won't compile PHP. Your PHP will continue to work and easyapache will only compile Apache. This can greatly improve the amount of time spent upgrading Apache. One word of caution, if you are using phpSuExec, you must check that box in easyapache. You don't have to select PHP, but you do have to check the phpSuExec option. This is because the phpSuExec wrapper depends on some patches applied to Apache's source code, and selecting this option tells easyapache to apply those patches.
Hope this helps.
Yes, vote for php 4.4.3 !
-FL-
LinkBack URL
About LinkBacks
Reply With Quote