The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel - Release security fixes first, enhancements later...

Discussion in 'Security' started by Reado, Jul 11, 2012.

  1. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Why hasn't PHP 5.3.14 been released yet in an EasyApache update? It's been over 3 weeks since the update was made available on PHP.net and despite the security fixes it introduces, it's still not available!
     
    #1 Reado, Jul 11, 2012
    Last edited: Jul 11, 2012
  2. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    I concur with and very much share Reado's sentiments above ...

    Lately cpanel releases support for new versions of PHP roughly around the time of the next release so always a release or two behind the latest updates and security patches.

    Often I have to manually compile my own PHP just to keep up with the newest version and then Cpanel eventually comes up with it's own update for EasyApache about the time that version is obsolete.

    For major release changes like adding PHP v5.4.x support, I can understand the delay in adding support for such major releases as there is obvious inherent compatibility issues to sort out but when dealing with minor release changes from say 5.3.13 to 5.3.14, those should be basically automatically and picked up on or very closed to the moment they are initially released!

    The extended delay getting support for major component updates like that can actually put a whole lot of cpanel users in potential jeopardy especially when new security issues are discovered and everyone out there is immediately patched except for the cpanel users still waiting on their own update to be released.

    Fortunately, I'm able to jump ahead and directly compile my own updates manually but not everyone is able to do that and the rest of everyone out there shouldn't have to wait weeks or months to get their own updates!
     
  3. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    It's blantently obvious to me that cPanel simply doesn't prioritise security updates over enhancements. The latest EA release is a great example:

    Fixed case 59437: MPM Event and mod_perl are incompatible with non-threaded perl
    Fixed case 59540: mod_qos requires non-default MaxClients in httpd.conf
    Fixed case 59731: Correct ZendOpt/ZendLoader version in EasyApache UI
    Fixed case 59784: Exhaustive Options page is blank when no PHP version selected (HTML interface only)
    Fixed case 59952: PHP 5.3.14 released to resolve CVE-2012-2386 and CVE-2012-2143
    Fixed case 59971: Patch Apache 2.x for CVE-2012-0883

    Fixed case 59995: Include experimental support for PHP 5.4.4
    Implemented case 57536: EasyApache: Remove PHP4 (all versions)
    Implemented case 59127: Update EasyApache to mod_perl 2.0.6
    Implemented case 59635: Block EA when PHP4 is configured with mod_php

    There are 3 security updates and 8 enhancements. This EA release has been delayed numerous times, which in turn has delayed the release of the Apache and PHP security updates. I'm not bothered about the enhancements above - a secure server is my biggest concern.

    cPanel - I really want to know why it's taken so long for these updates to be released!
     
    #3 Reado, Jul 11, 2012
    Last edited: Jul 11, 2012
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Specific timelines are rarely going to be given for releasing a new version. This is because we have to have quality assurance control on version releases before they are placed into production environments. Since the same EasyApache is used on all 4 tiers, including STABLE, any PHP updates would need to keep that in mind.
     
  7. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    You're missing the point - you've bundled security updates and enhancements together instead of releasing the security updates first and the enhancements afterwards. No one has explained yet why this was done.
     
  8. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    Hi Reado,

    I can appreciate the point you're making, and will bring up prioritization criteria at the next EasyApache meeting. Thank you.
     
  9. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Please also mention in your meeting that the release of EA 3.14 is the worst release ever. Today I have been in constant contact with cPanel support pointing out bugs in EA that shouldn't have allowed it to pass QA.

    For example, cPanel support suggested I used APC with PHP 5.4. APC 3.1.10 is showing as available on the PHP PECL page, but when you install it, APC 3.1.9 is installed instead. Then, at the end of the build, PHP PECL says the extension has been added to php.ini (when in fact it has not!) and then complains the APC.so file is not installed, which is correct because it's actually "apc.so" (lowercase)! When you refresh the PHP PECL page, it says APC is installed, but when you try to update it to 3.1.10, it says it's not installed!

    When you re-run EA 3.14 with PHP 5.4 already installed and selected, part way through the process EA removes ALL PECL extensions because they "do not exist", but still says the build has completed successfully, instead of rolling back to the backup. So this leaves me with a broken installation. By remove, I mean the PHP PECL page says no extensions are installed!

    I have requested to be rolled back to EA 3.13 so I can restore my server environment to a stable state as I don't believe EA 3.14 is doing anything good to my servers. It is not production-ready and should never have been released.
     
  10. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Found another EA 3.14 bug. Magic Quotes has been removed as of PHP 5.4, but you have not removed the option if PHP 5.4 is selected. In my test case, I selected PHP 5.4 but not Magic Quotes. After the build, I ran "php -v" and the following happened:

    root@web3 [~]# php -v

    Fatal error: Directive 'magic_quotes_gpc' is no longer available in PHP in Unknown on line 0
    root@web3 [~]#
     
Loading...

Share This Page