how can I tell if my cpanel ssh is patched?

rpm -q --changelog

The --changelog argument to the rpm command will let you query installed packages to see the changelog. This will let you see which CVEs have had patches applied.

Code:

# rpm -q --changelog openssl
* Fri Mar 12 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.6
- fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)

* Thu Mar 04 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.5
- fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
  in the RHEL-5 and newer versions will crash in such case (#569774)

This can generate a very long list covering the entire history of the package, so you may want to pipe the output to a file then read the file using less:

Code:

# rpm -q --changelog openssl > openssl.changelog
# less openssl.changelog

Due to the way Red Hat manages version numbers (and CentOS follows), the version number is not always updated when a CVE is patched, so it is necessary to read the changelog to find proof that a patch was applied.

If you have a specific CVE number, as you do, you can use grep to check quickly to see if it is mentioned in the changelog:

Code:

# rpm -q --changelog openssh > openssh.changelog
# grep CVE-2006-5051 openssh.changelog 
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
# grep CVE-2006-5052 openssh.changelog 
- fix an information leak in Kerberos password authentication (CVE-2006-5052)

 

Only for RPM packages

This technique will only work for services that are installed via RPM package, such as MySQL, Pure-FTPd, ProFTPd, Exim, Courier-IMAP and Dovecot. Since Apache is built from source, not installed via RPM package, on a cPanel server, the rpm database will have no information about it.

You can see the list of modules compiled into Apache using the following command:

Code:

# /usr/local/apache/bin/httpd -l

You can get version information about Apache using the following command:

Code:

# /usr/local/apache/bin/apachectl status

You can see the configure command used to compile PHP, and all extensions included and configured settings, using the following command:

Code:

# php -i

The output is usually lengthy, so I recommend redirecting it to a file. It is the same as creating the following PHP script and calling it from a Web browser:

Code:

<?php
    phpinfo();
?>

 

Re: CVE-2008-2939: mod_proxy_ftp

Via a quick search I found the following resources that you may review regarding CVE-2008-2939:

• Common Vulnerabilities and Exposures (CVE) - CVE-2008-2939
• National Vulnerability Database (NVD) - CVE-2008-2939
• Apache httpd 2.2 vulnerabilities - The Apache HTTP Server Project
• Apache httpd 2.0 vulnerabilities - The Apache HTTP Server Project

I believe that if you do not have mod_proxy installed in Apache/httpd then the vulnerability (CVE-2008-2939) may not apply.

Using one of the same commands mentioned by cPanelJared you may determine if the Apache/httpd installation includes mod_proxy_ftp.

The Apache module "mod_proxy" includes "mod_proxy_ftp" -- you may disable or remove mod_proxy altogether by unticking/unchecking its option in the Exhaustive Options list while running EasyApache to recompile Apache and PHP.

Reference menu path and additional documentation:

• WHM: Main >> Software >> EasyApache (Apache Update) >> Exhaustive Options
• Apache & cPanel/WHM (EasyApache3) >> The Options Lists

While you may use WHM to run EasyApache, you may also execute EasyApache using the following command via root SSH access:

Code:

# /scripts/easyapache