Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

EasyApache 4 May 29 Release

Discussion in 'EasyApache' started by cPanelPhilH, May 29, 2019.

  1. cPanelPhilH

    cPanelPhilH Community Manager Staff Member

    Joined:
    Feb 6, 2019
    Messages:
    29
    Likes Received:
    8
    Trophy Points:
    78
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    Update 5:14pm Central US Time: Some customers encountered errors with our mod_security2 update to 2.9.3 and we have removed it from our mirrors to prevent further problems. There was a two-hour window where server owners may have upgraded. If you find a server experiencing problems with mod_security in that condition, one potential solution may be to downgrade the mod_security RPM to resolve the issue using the command below.

    yum downgrade ea-apache24-mod_security2

    _____________
    We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! This release includes updates to multiple modules including apr, libcurl, nodejs10, sourceguardian, and ruby24. Take a look at some highlights below, and then join us on Slack, Discord, or Reddit to talk about this update and much more.


    • apr
    • EA-8471 - Update apr from v1.6.5 to v1.7.0

    • ea-apache2-config
    • EA-8436 - Mailman aliases exist in httpd.conf after it's disabled via Tweak Settings

    • ea-freetds
    • EA-8462 - Update freetds from 1.00.27 to 1.1.6

    • ea-nghttp2
    • EA-8473 - Update ea-nghttp2 from v1.32.0 to v1.38.0

    • ea-nodejs10
    • EA-8469 - Update ea-nodejs10 from v10.15.0 to v10.15.3

    • libcurl
    • EA-8475 - Update libcurl from v7.64.1 to v7.65.0
    • CVE-2019-5435: Integer overflows in curl_url_set
    • CVE-2019-5436: tftp: use the current blksize for recvfrom()

    • mod_security2
    • EA-8081 - Update Mod_security2 to 2.9.3

    • scl-sourceguardian
    • EA-8465 - Update Sourceguardian to 11.3

    • ea-ruby24
    • ea-ruby24-meta

    • EA-8466 - Update ea-ruby24 to 2.4.6
    • CVE-2019-8320: Delete directory using symlink when decompressing tar
    • CVE-2019-8321: Escape sequence injection vulnerability in verbose
    • CVE-2019-8322: Escape sequence injection vulnerability in gem owner
    • CVE-2019-8323: Escape sequence injection vulnerability in API response handling
    • CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
    • CVE-2019-8325: Escape sequence injection vulnerability in errors



    This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.



    SUMMARY
    cPanel, L.L.C. has updated RPMs for EasyApache 4 with libcurl version 7.65.0 and Ruby version 2.4.6. This release addresses vulnerabilities related to CVE-2019-5435, CVE-2019-5436, CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, and CVE-2019-8325. We strongly encourage all libcurl users to upgrade to version 7.65.0 and all Ruby users to upgrade to version 2.4.6.


    AFFECTED VERSIONS
    All versions of libcurl through 7.64.1
    All versions of Ruby through 2.4.5


    SECURITY RATING
    The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:



    CVE-2019-5435 - MEDIUM
    libcurl 7.65.0
    Fixed bug related to CVE-2019-5435

    CVE-2019-5436 - MEDIUM
    libcurl 7.65.0
    Fixed bug related to CVE-2019-5436

    CVE-2019-8320 - MEDIUM
    Ruby 2.4.6
    Fixed bug related to CVE-2019-8320

    CVE-2019-8321 - MEDIUM
    Ruby 2.4.6
    Fixed bug related to CVE-2019-8321

    CVE-2019-8322 - MEDIUM
    Ruby 2.4.6
    Fixed bug related to CVE-2019-8322

    CVE-2019-8323 - MEDIUM
    Ruby 2.4.6
    Fixed bug related to CVE-2019-8323

    CVE-2019-8324 - MEDIUM
    Ruby 2.4.6
    Fixed bug related to CVE-2019-8324

    CVE-2019-8325 - MEDIUM
    Ruby 2.4.6
    Fixed bug related to CVE-2019-8325



    SOLUTION
    cPanel, L.L.C. has released updated RPMs for EasyApache 4 on MAY 29, 2019, with updated versions of libcurl version 7.65.0 and Ruby version 2.4.6. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM's Run System Update interface.


    REFERENCES
    NVD - CVE-2019-5435
    NVD - CVE-2019-5436
    NVD - CVE-2019-8320
    NVD - CVE-2019-8321
    NVD - CVE-2019-8322
    NVD - CVE-2019-8323
    NVD - CVE-2019-8324
    NVD - CVE-2019-8325
    curl - Changes
    Multiple vulnerabilities in RubyGems



    For the PGP-signed message, please see EA4-2019-5-29-CVE.signed.

    More Information

    Information about all releases this year can be found in the 2019 EasyApache 4 Changelog and the EasyApache 4 Release Notes. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the Product and Security updates mailing list on our website. You can also sign up for our EasyApache Development and EasyApache Production lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.
     
    #1 cPanelPhilH, May 29, 2019
    Last edited by a moderator: May 29, 2019
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice