EasyApache February 9 Release

[cPRex]

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

• libcurl
  • EA-11221: Bump minimum required nghttp2 version to 1.51.0-2
• apr
  • EA-11198: Update apr from v1.7.0 to v1.7.2
  • CVE-2022-24963
    • Integer Overflow or Wraparound vulnerability in apr_encode functions of
      Apache Portable Runtime (APR) allows an attacker to write beyond bounds
      of a buffer.
  • CVE-2021-35940
    • Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
      (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
      later 1.6.x releases, but was missing in 1.7.0.)
• apr-util
  • EA-11199: Update apr-util from v1.6.1 to v1.6.3
  • CVE-2022-25147
    • Integer Overflow or Wraparound vulnerability in apr_base64 functions
      of Apache Portable Runtime Utility (APR-util) allows an attacker to
      write beyond bounds of a buffer.
• ea-openssl11
  • EA-11213: Update ea-openssl11 from v1.1.1s to v1.1.1t
    • X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
    • Timing Oracle in RSA Decryption (CVE-2022-4304)
    • Use-after-free following BIO_new_NDEF (CVE-2023-0215)
    • Double free after calling PEM_read_bio_ex (CVE-2022-4450)
• ea-libxml2
  • EA-11205: Update ea-libxml2 from v2.9.7 to v2.10.3
    • [CVE-2022-23308] Use-after-free of ID and IDREF attributes
    • [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer
    • [CVE-2022-2309] Reset nsNr in xmlCtxtReset
    • [CVE-2022-40304] Fix dict corruption caused by entity reference cycles
    • [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
• ea-php81
• ea-php81-meta
  • EA-11208: Update ea-php81 from v8.1.14 to v8.1.15
• ea-php82
  • EA-11212: Fix PKG_CONFIG_PATH
• ea-php82
• ea-php82-meta
  • EA-11200: Update ea-php82 from v8.2.1 to v8.2.2
• ea-nghttp2
  • EA-11210: Update ea-nghttp2 from v1.49.0 to v1.51.0
  • EA-11221: Have ea-nghttp2 require ea-libnghttp2

SUMMARY

cPanel, L.L.C. has updated packages for EasyApache 4 with APR version 1.7.2, APR-util version 1.6.3, OpenSSL version 1.1.1t, and libxml2 version 2.10.3. This release addresses vulnerabilities related to CVE-2022-24963, CVE-2021-35940, CVE-2022-25147, CVE-2022-4304, CVE-2023-0215, CVE-2022-4450, CVE-2023-0286, CVE-2022-23308, CVE-2022-29824, CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. We strongly encourage all APR user to upgrade to version 1.7.2, All APR-util users to upgrade to version 1.6.3, all OpenSSL users to upgrade to version 1.1.1t, and all libxml2 users to upgrade to version 2.10.3.

AFFECTED VERSIONS
All versions of APR through 1.7.0.
All versions of APR-util through 1.6.1.
All versions of OpenSSL through 1.1.1s
All versions of libxml through 2.10.2.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2022-24963 – CRITICAL
APR 1.7.2
Fixed vulnerability related to CVE-2022-24963

CVE-2021-35940 – HIGH
APR 1.7.2
Fixed vulnerability related to CVE-2021-35940

CVE-2022-25147 – CRITICAL
APR-util 1.6.3
Fixed vulnerability related to CVE-2022-25147

CVE-2022-4304 – MEDIUM
OpenSSL 1.1.17
Fixed vulnerability related to CVE-2022-4304

CVE-2023-0215 – MEDIUM
OpenSSL 1.1.17
Fixed vulnerability related to CVE-2023-0215

CVE-2022-4450 – MEDIUM
OpenSSL 1.1.17
Fixed vulnerability related to CVE-2022-44509

CVE-2023-0286 – MEDIUM
OpenSSL 1.1.17
Fixed vulnerability related to CVE-2023-0286

CVE-2022-23308 – HIGH
libxml2 2.0.3
Fixed vulnerability related to CVE-2022-23308

CVE-2022-29824 – MEDIUM
libxml2 2.0.3
Fixed vulnerability related to CVE-2022-29824

CVE-2022-2309 – HIGH
libxml2 2.0.3
Fixed vulnerability related to CVE-2022-2309

CVE-2022-40304 – HIGH
libxml2 2.0.3
Fixed vulnerability related to CVE-2022-40304

CVE-2022-40303 – HIGH
libxml2 2.0.3
Fixed vulnerability related to CVE-2022-40303

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on February 9, 2023, with APR version 1.7.2, APR-util version 1.6.3, OpenSSL version 1.1.1t, and libxml2 version 2.10.3.. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://www.cve.org/CVERecord?id=CVE-2022-24963
https://www.cve.org/CVERecord?id=CVE-2021-35940
https://www.cve.org/CVERecord?id=CVE-2022-25147
https://www.cve.org/CVERecord?id=CVE-2022-4304
https://www.cve.org/CVERecord?id=CVE-2023-0215
https://www.cve.org/CVERecord?id=CVE-2022-4450
https://www.cve.org/CVERecord?id=CVE-2023-0286
https://www.cve.org/CVERecord?id=CVE-2022-23308
https://www.cve.org/CVERecord?id=CVE-2022-29824
https://www.cve.org/CVERecord?id=CVE-2022-2309
https://www.cve.org/CVERecord?id=CVE-2022-40304
https://www.cve.org/CVERecord?id=CVE-2022-40303
https://downloads.apache.org/apr/CHANGES-APR-1.7
https://downloads.apache.org/apr/CHANGES-APR-UTIL-1.6
https://www.openssl.org/news/openssl-1.1.1-notes.html
https://gitlab.gnome.org/GNOME/libxml2/-/releases

For a signed version of this advisory please visit https://news.cpanel.com/wp-content/uploads/2023/02/EA4-2023-2-9-CVE.signed.txt