New Apache Vulnerability

[sparek-3]

This should probably be posted in Bugzilla, but I wanted to make sure that this was an issue that affected CPanel first. Looks like there is a new bug in Apache, specifically in mod_rewrite:

http://secunia.com/advisories/21197

The recommended solution is to upgrade to Apache 1.3.37. It would appear that easyapache is at 1.3.36. I wasn't sure if this affected CPanel's Apache (I would think that it does) or exactly how serious this is.

 

[sparek-3]

This is listed in Bugzilla at:

http://bugzilla.cpanel.net/show_bug.cgi?id=4433

 

[speckados]

One more time, Cpanel Team, don't work for security on Cpanel/WHM.

Expensive panel qith several problems of security issues.

http://bugzilla.cpanel.net/show_bug.cgi?id=4433 has 48 hours.

Security Advisore more 3 days.

Explot calisfied CRITICAL.

Please, Cpanel Team, more hard work on Security Issues.

:p

Advisorie of Apche Foundation:
This issue has been rated as having important security impact by the Apache HTTP Server Security Team.onto http://www.apache.org/dist/httpd/Announcement1.3.html

 

[sparek-3]

Just a note, I ran easyapache this morning on a test server and it appears that 1.3.37 is being compiled now. Someone else may want to verify this and make sure 1.3.37 is installing. I'm not aware of any official word from CPanel, so I might proceed with caution regarding the upgrade, but I did want to let everyone know that it appears 1.3.37 is available now.

 

[MN-Robert]

Yes apache 1.3.37 is now in easyapache

 

[nickp666]

Under which tree is it available? EDGE?

 

[perfect-games]

thats not the only bug i discovered bugs in openssl and can be exploted to gain root level access.

oh well

hope they fix it

 

[myusername]

Might as well add php 4.4.3 support to the gripes list:

http://secunia.com/advisories/21328/

 

[sparek-3]

As fas as I know the Apache version is indepdent of your CPanel build. So it doesn't matter what CPanel tree you are using, easyapache will install the same version of Apache for each build. I may be wrong in that regard. At any rate, I'm using Release and 1.3.37 is in it.

 

[gahelm]

I'm on the stable release tree and it will only compile 1.3.36. Any way to get 1.3.37 into the stable release tree?

 

[gahelm]

Sorry, I guess I should have been more clear. I'm using the stable version, NOT release.

 

[AndyReed]

I'm on the stable release tree and it will only compile 1.3.36. Any way to get 1.3.37 into the stable release tree?

Just re-compiled Apache on one of our client's servers and I got:

Server version: Apache/1.3.37 (Unix)
Server built: Aug 3 2006 16:46:36

Server: cPanel [10.8.2-RELEASE_119]

 

[MPCN_Russ1]

Hey all,

Does is cause any problems if you were to just manually configure any software like apache or php together manually rather then using cPanel? Will cPanel have any issues?

Thanks,
Russ

 

[sparek-3]

Hey all,

Does is cause any problems if you were to just manually configure any software like apache or php together manually rather then using cPanel? Will cPanel have any issues?

Thanks,
Russ

I don't know about Apache, but I always compile PHP separately. This is mainly because I want to do more customization to my PHP installs.

One quick tidbit, if you run easyapache, you can unselect PHP so that it is not checked, then easyapache won't compile PHP. Your PHP will continue to work and easyapache will only compile Apache. This can greatly improve the amount of time spent upgrading Apache. One word of caution, if you are using phpSuExec, you must check that box in easyapache. You don't have to select PHP, but you do have to check the phpSuExec option. This is because the phpSuExec wrapper depends on some patches applied to Apache's source code, and selecting this option tells easyapache to apply those patches.

Hope this helps.

 

[fleksi]

Might as well add php 4.4.3 support to the gripes list:

http://secunia.com/advisories/21328/

Yes, vote for php 4.4.3 !

-FL-

 

[pixel_fenix]

I can't seem to get apache to compile with mod_ssl Gives some hook error or something. Is anyone else experiencing this?

 

[arhs]

Added bugzilla ticket, requesting PHP 4.4.3 to be added to easyapache , please vote:

http://bugzilla.cpanel.net/show_bug.cgi?id=4447

 

[a66fm]

I can't seem to get apache to compile with mod_ssl Gives some hook error or something. Is anyone else experiencing this?

yes in my case it was missing the

<IfDefine SSL>

before the ssl virtual host
and the

</IfDefine>

after

 

[IRCBrasil]

Witch version? 0.9.8b is exploitable too?

thats not the only bug i discovered bugs in openssl and can be exploted to gain root level access.

oh well

hope they fix it

 

[arhs]

PHP 4.4.3 is now available in easyapache.