The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Information about cPanel & WHM 11.30, 11.32, and 11.34 Recent Updates

Discussion in 'cPanel Announcements' started by Infopro, Dec 6, 2012.

  1. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    May 20, 2003
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    cPanel & WHM;;, which fixes multiple security issues, is now available for download.

    cPanel has rated these updates as having important security impact.
    Information on security ratings is available at SecurityLevels < AllDocumentation < TWiki.


    The Perl Storable module provides support for serialization and deserialization of Perl data structures. In cPanel & WHM this functionality is used for caching data to disk and transferring data between processes. In many areas this caching and interprocess communication crosses privilege separation boundaries. A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation.

    The Perl YAML::Syck module provides similar functionality as the Storable module. The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

    The version of Locale::Maketext used in previous releases of cPanel & WHM suffered from two flaws in the _compile() function which allowed authenticated users to execute arbitrary code by supplying specially crafted translatable phrases.

    cPanel & WHM relies on the Crypt::Passwd::XS Perl module to perform password hashing. This module suffers from the same vulnerability disclosed in CVE-2012-2143 where passwords with the 0x80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.

    The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized user input to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

    These issues were discovered by various members of the Development and Quality Assurance teams at cPanel.


    We recommend updating your cPanel & WHM system as follows:

    Update cPanel & WHM 11.30 to or newer.
    Update cPanel & WHM 11.32 to or newer.
    Update cPanel & WHM 11.34 to or newer.

    To check which version of cPanel you have, go to What's my cPanel & WHM version number?

    A full listing of published versions can always be found at Downloads - cPanel Inc..


    Multiple privilege escalation vulnerabilities due to the use of Storable for serialization :
    Case 59926 | cPanel, Inc.
    Password hashes truncated by 0×80 characters:
    Case 60203 | cPanel, Inc.
    Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization:
    Case 60970 | cPanel, Inc.
    Arbitrary code execution via translatable phrases due to the use of Locale::Maketext
    Case 61251 | cPanel, Inc.
    Shell code injection via translatable phrases in Cpanel::Locale:
    Case 62230 | cPanel, Inc.
  2. burn1024

    burn1024 Member

    Dec 14, 2012
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Mysql2 Munin plugin is broken with this update:

    2012/12/14-06:10:09 [16867] Error output from mysql_table_locks:
    2012/12/14-06:10:09 [16867] Cannot restore overloading on HASH(0x2054bf0) (package <unknown>) at blib/lib/ (autosplit into blib/lib/auto/Storable/ line 438, at /usr/local/share/perl5/Cache/ line 118.
    2012/12/14-06:10:09 [16867] Service 'mysql_table_locks' exited with status 255/0.

    Please fix that.
  3. cPanelNick

    cPanelNick Administrator
    Staff Member

    Mar 9, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Once the security team validates that resolving this won't create a security hole, they will push out a patch for it.

Share This Page