Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Recommendation on security notifications from cpanel

Discussion in 'Security' started by Venomous21, Jan 30, 2018.

  1. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I generally update my cpanel servers manually after first checking a release to make sure there aren't major issues e.g. in past, I avoided a bug that broke phpmyadmin by not auto-updating, I've avoided bad EA releases, etc.

    This leads me to the next point. I am on the cpanel mailing list and receive emails about EasyApache releases & Cpanel security releases. I frankly think the ball was dropped since we weren't notified about this issue by email:

    Version 68.0.25 1-10-18
    • Fixed case CPANEL-17721: Update awstats to 7.4-3.cp1162 for CVE-2017-1000501.

    In the future, would you -please- contact us for any off-cycle security fixes? e.g. Cpanel 68.0.25 addresses highly critical security fix with awstats.

    I was able to get the servers updated but didn't see this until a couple days late since I rely on cpanel to notify me of security issues with cpanel or easyapache. I'm on separate mailing lists for CentOS and other software. Recently, you notified us of upcoming security fixes to be patched on 1-22-18 then you released the details a day later 1-23-18, which is normal for cpanel. The cpanel security fixes on 1-22-18 weren't that serious compared to the awstats issue on 1-10-18, which was very, very serious and easy to exploit. In the future, I feel we should be notified about any off-cycle security patches from cpanel...especially one this critical that could allow unauthenticated, remote code execution as root.

    Also, please, mark these releases as [security] in the patch notes but that's a minor gripe, would rather receive an email notification.

    Thank you.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Venomous21,

    Thank you for taking the time to provide us with feedback. It's true that we don't currently send out email notifications upon the publication of every new build (even ones with potential security implications), however we are always exploring ways to better communicate information to the community. I've passed along your feedback to our Community Management Team for consideration.

    In the meantime, I recommend subscribing to the RSS feed we offer for the change log:

    http://atom.cpanel.net/changelog/cpanel-changelog.atom

    With RSS feeds, you can use a free service such as IFTTT to receive emails when changes are published:

    RSS feed to email

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice