The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EasyApache 3.18.6 Published

Discussion in 'EasyApache' started by cPLaurenceS, Mar 6, 2013.

  1. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello, everyone!

    The EasyApache team has published EasyApache 3.18.6

    2013-03-06
    - Implemented Case 63866: Add mod_socache_shmcb module to Apache 2.4
    - Implemented Case 63871: Update Apache from 2.2.23 to 2.2.24
    - Implemented Case 63869: Update Apache from 2.4.3 to 2.4.4

    - Fixed Case 63676: Provide optional symlink protection patch
    - Fixed Case 63881: Report PECL config-set errors and proceed with build
    - Fixed Case 63889: Apply 64-bit pkgconfig and Apache 2.4.4 compatibility patch for CentOS 5.x devices

    EASYAPACHE CHANGE LOG: EasyApache < AllDocumentation/ChangeLog < TWiki
    EASYAPACHE RELEASE NOTES: EAReleaseNotes318 < EasyApache < TWiki

    NOTE: The documentation may take a few hours to sync up between the documentation servers.

    Thanks,
    -ls

    Laurence Simon
    Technical Writer (EasyApache Team)
    cPanel, Inc.
     
  2. NovemberRain

    NovemberRain Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    İstanbul
    cPanel Access Level:
    Root Administrator
  3. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    The team is watching the first few build reports come back...

    NOTE: If you already use a custom patch for the race condition (for example: FollowSymLinks_to_OwnerMatch.patch), you will need to do one of the following:

    - remove your custom patch before you enable _Symlink Race Condition Protection_
    - do not enable the _Symlink Race Condition Protection_ option

    -ls
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Laurence,

    How about if you are using the patch from Steve (@rack911) ? That's been a very popular patch I believe.

    Is Steven's patch also unnecessary if we enable the option in EasyApache ?

    Mike


     
  5. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Mike!

    You're referring to the patch that's in the following thread, yes?
    https://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p4.html

    The simple answer is: You only need to have one patch for the symlink race condition vulnerability in place.

    (((So, if you're using Steve/rack911's, you don't need to use the one in EasyApache.)))

    But, if you're having issues with his patch or want to minimize the number of optmods, yeah, clear his out and go with the one we're providing.

    FYI, the one we're providing through EasyApache is the Eric Jacobs (Bluehost) patch:
    [patch] Fix cross-user symlink race condition vulnerability

    Thanks,
    -ls

    Laurence Simon
    Technical Writer (EasyApache Team)
    cPanel, Inc.
     
  6. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Mike!

    I've got an update regarding the patch that Steve/@rack911.

    We strongly recommend that you remove that patch and use the Eric Jacobs (Bluehost) patch that we're offering through EasyApache.

    We feel that EasyApache patch handles the symlink race condition vulnerability better.

    Thanks,
    -ls

    Laurence Simon
    Technical Writer (EasyApache Team)
    cPanel, Inc.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Hi Laurence,

    Thanks for the information. However, I'm still unclear on whether the cPanel supplied patch is accomplishing the same thing as the Rack911 patch.

    From my understanding, although the Rack911 patch still leaves the potential for a race condition, the patch itself is designed to specifically prohibit anyone from creating a symlink to a file not owned by the account they are currently symlinking from. And, from what I've read about the cPanel supplied patch (i.e. the BlueHost one), it only addresses the race condition.

    So I think clarification is needed [for myself and for everyone on the forum who is asking or wanting to ask].

    1. Rack911 patch prevents the following of a symlink to a file not belonging to that user. Rack911 patch does not address the potential for a race condition.

    2. BlueHost patch specifically addresses race condition. BlueHost patch isn't meant to prevent symlinks from being followed the symlinked file doesn't belong to the owner.

    I think I have that right, but I might not. And if I do have it right, those are important distinctions. One has to then weigh pros and cons. It would be an either-or situation. Either one prevents symlinks from being followed by risks the race condition (Rack911 patch), or one doesn't have to worry about a race condition but then has to worry about symlinks being followed because the patch does not resolve that problem (BlueHost patch).

    Please confer with those within your company and then post back letting us know.

    Thanks!

    Mike

     
  8. cPanelJamyn

    cPanelJamyn Social Engineer
    Staff Member

    Joined:
    Jan 29, 2009
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    0
    Hi,

    I originally wrote up a more detailed response, but I'd like to fully re-test this patch again before responding. I'll update my post again shortly. Thanks!
     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thank you. I appreciate that.

    mike
     
  10. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    Mike-

    We're working on an update to the documentation, and will post shortly.

    Thanks,
    -ls

    Laurence Simon
    Technical Writer (EasyApache Team)
    cPanel, Inc.
     
  11. Mrg

    Mrg Member

    Joined:
    Feb 8, 2012
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Can we use both patches ?

    We patched with "Eric's Patch", but we got problems with /error/ pages and /icons/ (f.e. in vhost: Alias /icons/ "/apache/icons/")
    public_html owned by user1 (971), but the error-pages and icons are wwwrun (30).

    so: Caught race condition abuser. attacker: 971, victim: 30 open file owner: 30

    So what can we do, how do you bypass this issue?
     
  12. ScottTh

    ScottTh Well-Known Member

    Joined:
    Jan 28, 2013
    Messages:
    157
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi Mrg,

    Both the Steve/@rack911 and Bluehost (provided in EasyApache) patches cannot be used at the same time. Only one of the patches can be used or EasyApache will fail to build. Our documentation about the symlink race condition patch explains this in more detail:
    Symlink Race Condition Protection

    Thank you,
     
  13. Mrg

    Mrg Member

    Joined:
    Feb 8, 2012
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    we compile apache ourself
    so we compiled both patches.

    what about the issue with

    "We patched with "Eric's Patch", but we got problems with /error/ pages and /icons/ (f.e. in vhost: Alias /icons/ "/apache/icons/")
    public_html owned by user1 (971), but the error-pages and icons are wwwrun (30).

    so: Caught race condition abuser. attacker: 971, victim: 30 open file owner: 30

    So what can we do, how do you bypass this issue?"


    thanks
     
  14. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    "we compile apache ourself
    so we compiled both patches."

    As Scott stated earlier: only one of the patches can be used or EasyApache will fail to build.

    Thanks,
    -ls

    Laurence Simon
    Technical Writer (EasyApache Team)
    cPanel, Inc.
     
  15. Mrg

    Mrg Member

    Joined:
    Feb 8, 2012
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    ok we only have eric's / cpanel patch, but

    "We patched with "Eric's Patch", but we got problems with /error/ pages and /icons/ (f.e. in vhost: Alias /icons/ "/apache/icons/")
    public_html owned by user1 (971), but the error-pages and icons are wwwrun (30).

    so: Caught race condition abuser. attacker: 971, victim: 30 open file owner: 30

    So what can we do, how do you bypass this issue?"
     
  16. cPLaurenceS

    cPLaurenceS cPanel Staff - Technical Writer II (Cobra)
    Staff Member

    Joined:
    Oct 30, 2012
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
    We'll be providing more documentation/information on the symlink race condition shortly.

    Thanks,
    -ls

    Laurence Simon
    Technical Writer (EasyApache Team)
    cPanel, Inc.
     
Loading...

Share This Page