Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Urgent Updates for 70, 76, and 78 and Exim CVE-2019-10149

Discussion in 'cPanel Announcements' started by cPanelBenny, Jun 6, 2019.

  1. cPanelBenny

    cPanelBenny Community Team Manager, Development, dog scratcher Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    129
    Likes Received:
    65
    Trophy Points:
    103
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    In a post on the cPanel Blog last night we shared information regarding an exploit that had been identified in Exim. This exploit allows attackers to execute code as the root user on your server without authentication and was rated a 9.8 out of 10 in severity.

    While Version 80 was never vulnerable to this exploit, and we released a patch for Version 78 last night, the recently End of Life Version 70 and Version 76 remained vulnerable. More details were released today, including details on exactly how to gain root access to a remote server.

    While Exim is open source software that we bundle with our software and is not built by cPanel, this vulnerability is something that we feel deserves our attention. This is an extremely rare and specific situation that has the potential to impact everyone who interacts with the internet in any way. For that reason, we have released an update to patch this vulnerability for both Version 70 and Version 76.

    To ensure that your server has received the patch, please update to one of the following versions:

    TIER VERSION
    70 -> 70.0.69
    76 -> 76.0.22
    78 -> 78.0.27

    cPanel & WHM Versions 70 and 76 remain End of Life and will receive no other updates. This is a one-time bending of our policy, and we do not plan to pursue any other updates for these versions. We still strongly recommend that you keep your servers updated, and continue to run the most recent versions of cPanel & WHM available.

    If you need help with any of this, don’t hesitate to reach out! The best places to ask questions are here on the cPanel Forums, our directly to our support team. You can also join us in our Slack or Discord channels, or even ask on our subreddit!
     
  2. AlexMty

    AlexMty Registered

    Joined:
    Jun 6, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello, I just tried to update a server in tier 76 (76.0.21), and it stayed in the same version due to EasyApache version 3 being installed. How can I force an update to 76.0.22? I tried switching from STABLE to TLS but then it says the new version will be 78.0.27 and it will be EOL in March 2020.

    Can I try this with a bash command?
     
  3. ispweb

    ispweb Registered PartnerNOC

    Joined:
    Aug 22, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    How to update to 76.0.22, i'm on 76.0.20 but when i run update with or without force nothing change.
     
  4. cPanelBenny

    cPanelBenny Community Team Manager, Development, dog scratcher Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    129
    Likes Received:
    65
    Trophy Points:
    103
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    It's possible that the update will be blocked with an error similar to this:

    A system upgrade was not possible due to the following blockers:
    [2019-06-07 02:02:51 +0200] W [FATAL] - You must migrate from EA3 to EA4 before upgrading to v78 or newer. You can do so by running /usr/local/cpanel/scripts/migrate_ea3_to_ea4 or via WHM’s EasyApache 4 Migration interface. For more information please see: The EasyApache 3 to EasyApache 4 Migration Process - EasyApache 4 - cPanel Documentation
    If you encounter this error, you must manually adjust your /etc/cpupdate.conf file to the example below:

    CPANEL=11.76
    RPMUP=daily
    SARULESUP=daily
    STAGING_DIR=/usr/local/cpanel
    UPDATES=daily
     
    eva2000 likes this.
  5. Avensen

    Avensen Member

    Joined:
    Feb 27, 2007
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    153
    Edited cpupdate.conf, updated from v76.0.21 to v76.0.22 with /usr/local/cpanel/scripts/upcp

    However, Service Status / Exim version shows 4.91-3 (expected 4.91-4 after update).

    ran the following command:

    whmapi1 installed_versions packages=1|grep exim

    and it shows this:

    exim: 4.91-3
    - exim-4.91-3.cp1170.x86_64

    Can anyone check if your Exim version changed to 4.91-4 after v76.0.21 to v76.0.22 update?
     
  6. cPanelBenny

    cPanelBenny Community Team Manager, Development, dog scratcher Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    129
    Likes Received:
    65
    Trophy Points:
    103
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    We've confirmed internally that it looks like there is a cache not getting updated (being tracked as CPANEL-27784), but based on our testing the new RPM is being used. You can double check this with the exim --version command, that will show the version, and the build time. You'll also see the RPM removed in the upcp logs.

    exim --version
     
    #6 cPanelBenny, Jun 6, 2019
    Last edited: Jun 6, 2019
  7. Avensen

    Avensen Member

    Joined:
    Feb 27, 2007
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    153
    cPanelBenny, thanks for the information.

    # exim --version

    Exim version 4.91 #1 built 06-Jun-2019 12:52:02

    Is it a correct version?
     
  8. cPanelBenny

    cPanelBenny Community Team Manager, Development, dog scratcher Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    129
    Likes Received:
    65
    Trophy Points:
    103
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yup! That's the correct version. We backported the patch to 4.91, and built it today. There's a little more information here, as well:

    CVE-2019-10149 Exim - cPanel Knowledge Base - cPanel Documentation
     
    Avensen likes this.
  9. Luana Premoli

    Luana Premoli Well-Known Member

    Joined:
    Oct 3, 2016
    Messages:
    54
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    São Paulo/Brazil
    cPanel Access Level:
    Root Administrator
    Hi,

    Is it possible to update only the exim without having to update the cPanel?

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,273
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Luana Premoli,

    The only way to ensure that you are protected is to upgrade your server to a patched version. We made a one-time exclusion to our end-of-life policy and released an update to patch this vulnerability for both version 70 and version 76. Information about how to apply the update to these end-of-life versions is available at the beginning of the blog post below:

    Exim CVE-2019-10149, how to protect yourself | cPanel Blog

    What cPanel & WHM version is currently installed on your system?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice