Is the libxslt in easyapache subject to the new exploit?

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
77
308
cPanel Access Level
Root Administrator
We currently provide libxslt-1.1.24 If I read the report correctly, that version is immune to the problem. However, if you compiled this library sometime ago, it will need updated and recompiled.
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
720
11
243
In addition, you'd not want to update the library only and not do Apache and friends as well.

The reason is because Apache, PHP, Mod Security, etc etc may or may not be statically or dynamically linked to any given group of those libraries.

Hence updating the libraries would
- at best not effect the version in use by a given binary (IE the vulnerability is still present)
- at worst break things, probably in subtle and hard to troubleshoot ways

Granted it may be just fine as well but why risk it or bother :)
 

Morley

Well-Known Member
Apr 24, 2007
66
0
156
We currently provide libxslt-1.1.24 If I read the report correctly, that version is immune to the problem. However, if you compiled this library sometime ago, it will need updated and recompiled.
Not according to this:
Programs affected: libxslt-1.1.24 and some earlier versions. Source: http://scary.beasts.org/security/CESA-2008-003.html

My version seems to be 1.1.11 on my WHM 11.23.2 cPanel 11.23.4-S26138
CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0

It's not clear to me if my system is vulnerable. :confused:

Oh, I just saw this:
Affected version: libxslt >= 1.1.8, <= 1.1.24 Does this mean 1.1.11 is vulnerable? If so, how do I apply the patch?

Thanks
 
Last edited:

cPDan

cPanel Staff
Staff member
Mar 9, 2004
720
11
243
Not according to this:
Programs affected: libxslt-1.1.24 and some earlier versions. Source: http://scary.beasts.org/security/CESA-2008-003.html

My version seems to be 1.1.11 on my WHM 11.23.2 cPanel 11.23.4-S26138
CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0

It's not clear to me if my system is vulnerable. :confused:
If it included 1.1.24 and earlier then its safe to assume that you are effected by this.

As soon as they have an update we'll publish an update on our end of course.

You can watch here to see what the latest is:

ftp://xmlsoft.org/libxslt/

and you can watch here to see when we update it:

http://changelog.cpanel.net/?treeview=easyapache

there is a feed you can subscribe to there for convenience