The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is the libxslt in easyapache subject to the new exploit?

Discussion in 'EasyApache' started by BianchiDude, Jul 31, 2008.

  1. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We currently provide libxslt-1.1.24 If I read the report correctly, that version is immune to the problem. However, if you compiled this library sometime ago, it will need updated and recompiled.
     
  3. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    In addition, you'd not want to update the library only and not do Apache and friends as well.

    The reason is because Apache, PHP, Mod Security, etc etc may or may not be statically or dynamically linked to any given group of those libraries.

    Hence updating the libraries would
    - at best not effect the version in use by a given binary (IE the vulnerability is still present)
    - at worst break things, probably in subtle and hard to troubleshoot ways

    Granted it may be just fine as well but why risk it or bother :)
     
  4. Morley

    Morley Well-Known Member

    Joined:
    Apr 24, 2007
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Not according to this:
    Programs affected: libxslt-1.1.24 and some earlier versions. Source: http://scary.beasts.org/security/CESA-2008-003.html

    My version seems to be 1.1.11 on my WHM 11.23.2 cPanel 11.23.4-S26138
    CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0

    It's not clear to me if my system is vulnerable. :confused:

    Oh, I just saw this:
    Affected version: libxslt >= 1.1.8, <= 1.1.24 Does this mean 1.1.11 is vulnerable? If so, how do I apply the patch?

    Thanks
     
    #4 Morley, Aug 1, 2008
    Last edited: Aug 1, 2008
  5. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    If it included 1.1.24 and earlier then its safe to assume that you are effected by this.

    As soon as they have an update we'll publish an update on our end of course.

    You can watch here to see what the latest is:

    ftp://xmlsoft.org/libxslt/

    and you can watch here to see when we update it:

    http://changelog.cpanel.net/?treeview=easyapache

    there is a feed you can subscribe to there for convenience
     
  6. Morley

    Morley Well-Known Member

    Joined:
    Apr 24, 2007
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, I'll keep my eyes open for it.
     
  7. labahost

    labahost Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Is it already fixed?
     
  8. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    Easyapache has the latest. My previous post has more details.
     
Loading...

Share This Page