The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New Apache Vulnerability

Discussion in 'EasyApache' started by sparek-3, Jul 29, 2006.

  1. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This should probably be posted in Bugzilla, but I wanted to make sure that this was an issue that affected CPanel first. Looks like there is a new bug in Apache, specifically in mod_rewrite:

    http://secunia.com/advisories/21197

    The recommended solution is to upgrade to Apache 1.3.37. It would appear that easyapache is at 1.3.36. I wasn't sure if this affected CPanel's Apache (I would think that it does) or exactly how serious this is.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    One more time, Cpanel Team, don't work for security on Cpanel/WHM.

    Expensive panel qith several problems of security issues.

    http://bugzilla.cpanel.net/show_bug.cgi?id=4433 has 48 hours.

    Security Advisore more 3 days.

    Explot calisfied CRITICAL.

    Please, Cpanel Team, more hard work on Security Issues.

    :p

    Advisorie of Apche Foundation:
    This issue has been rated as having important security impact by the Apache HTTP Server Security Team.onto http://www.apache.org/dist/httpd/Announcement1.3.html
     
    #3 speckados, Aug 2, 2006
    Last edited: Aug 2, 2006
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Just a note, I ran easyapache this morning on a test server and it appears that 1.3.37 is being compiled now. Someone else may want to verify this and make sure 1.3.37 is installing. I'm not aware of any official word from CPanel, so I might proceed with caution regarding the upgrade, but I did want to let everyone know that it appears 1.3.37 is available now.
     
  5. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Yes apache 1.3.37 is now in easyapache
     
  6. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    Under which tree is it available? EDGE?
     
  7. perfect-games

    perfect-games Well-Known Member

    Joined:
    Nov 11, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    alberta
    thats not the only bug i discovered bugs in openssl and can be exploted to gain root level access.

    oh well

    hope they fix it
     
  8. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    As fas as I know the Apache version is indepdent of your CPanel build. So it doesn't matter what CPanel tree you are using, easyapache will install the same version of Apache for each build. I may be wrong in that regard. At any rate, I'm using Release and 1.3.37 is in it.
     
  10. gahelm

    gahelm Active Member

    Joined:
    Jun 21, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Florida
    I'm on the stable release tree and it will only compile 1.3.36. Any way to get 1.3.37 into the stable release tree?
     
  11. gahelm

    gahelm Active Member

    Joined:
    Jun 21, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Florida
    Sorry, I guess I should have been more clear. I'm using the stable version, NOT release.
     
  12. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Just re-compiled Apache on one of our client's servers and I got:

    Server: cPanel [10.8.2-RELEASE_119]
     
  13. MPCN_Russ1

    MPCN_Russ1 Member

    Joined:
    Jun 26, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hey all,

    Does is cause any problems if you were to just manually configure any software like apache or php together manually rather then using cPanel? Will cPanel have any issues?

    Thanks,
    Russ
     
  14. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I don't know about Apache, but I always compile PHP separately. This is mainly because I want to do more customization to my PHP installs.

    One quick tidbit, if you run easyapache, you can unselect PHP so that it is not checked, then easyapache won't compile PHP. Your PHP will continue to work and easyapache will only compile Apache. This can greatly improve the amount of time spent upgrading Apache. One word of caution, if you are using phpSuExec, you must check that box in easyapache. You don't have to select PHP, but you do have to check the phpSuExec option. This is because the phpSuExec wrapper depends on some patches applied to Apache's source code, and selecting this option tells easyapache to apply those patches.

    Hope this helps.
     
  15. fleksi

    fleksi Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
  16. pixel_fenix

    pixel_fenix Member

    Joined:
    Nov 23, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I can't seem to get apache to compile with mod_ssl Gives some hook error or something. Is anyone else experiencing this?
     
  17. arhs

    arhs Well-Known Member

    Joined:
    Jul 4, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
  18. a66fm

    a66fm Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Greece
    yes in my case it was missing the
    Code:
    <IfDefine SSL>
    before the ssl virtual host
    and the
    Code:
    </IfDefine>
    after
     
  19. IRCBrasil

    IRCBrasil Well-Known Member

    Joined:
    Jul 22, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Witch version? 0.9.8b is exploitable too?

     
  20. arhs

    arhs Well-Known Member

    Joined:
    Jul 4, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    PHP 4.4.3 is now available in easyapache.
     
Loading...

Share This Page