go-pear.phar security breach

Karateka

Active Member
Apr 14, 2003
34
1
233
Austin, Texas
cPanel Access Level
Root Administrator
Twitter
According to the PEAR developers, go-pear.phar was breached. Our servers don't use this, but has this been used in cPanel development?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @Karateka,

This topic was brought up internally as part of case CPANEL-25204. Here's a summary of the information provided in this case:

We build PEAR from GitHub (CpanelInc/scl-php-pear), which is a source that was not reported as compromised. Since we don't pull in from go-pear.phar in our RPM, the conclusion is that cPanel & WHM is unaffected by this reported security breach.
Transparency is important to us, so should new information arise suggesting otherwise (on this particular issue or any future security issue), we'll share that information with the public.

Thank you.
 
  • Like
Reactions: dstana

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
So what will be a work around to install PHP 7.2 modules since PEAR server is down?
Hello @vlee,

The actual PEAR modules are not yet available for download by PEAR, but here's the latest update from the official PEAR Twitter feed:

@pear

We *might* have the `PEAR - PHP Extension and Application Repository ` site back up by the end of this week, at least to the point where the `pear` CLI command is able to retrieve package tarballs for installation. We're at least close to that milestone in our recovery.
Thank you.