go-pear.phar security breach

[Karateka]

According to the PEAR developers, go-pear.phar was breached. Our servers don't use this, but has this been used in cPanel development?

 

[cPanelMichael]

Hello @Karateka,

This topic was brought up internally as part of case CPANEL-25204. Here's a summary of the information provided in this case:

We build PEAR from GitHub (CpanelInc/scl-php-pear), which is a source that was not reported as compromised. Since we don't pull in from go-pear.phar in our RPM, the conclusion is that cPanel & WHM is unaffected by this reported security breach.

Transparency is important to us, so should new information arise suggesting otherwise (on this particular issue or any future security issue), we'll share that information with the public.

Thank you.

 

[vlee]

So what will be a work around to install PHP 7.2 modules since PEAR server is down?

 

[cPanelMichael]

So what will be a work around to install PHP 7.2 modules since PEAR server is down?

Hello @vlee,

The actual PEAR modules are not yet available for download by PEAR, but here's the latest update from the official PEAR Twitter feed:

@pear

We *might* have the `PEAR - PHP Extension and Application Repository ` site back up by the end of this week, at least to the point where the `pear` CLI command is able to retrieve package tarballs for installation. We're at least close to that milestone in our recovery.

Thank you.

 

[vlee]

Yay...

UPDATE: The `http://pear.php.net ` channel is back up, at least enough to deliver release tarballs for `pear` CLI clients.

I just updated my servers and got what I needed to get done