cPanel TSR-2018-0001, originally scheduled for Monday January 15 2018, has been delayed one week and is now scheduled for release on Monday January 22 2018. The full disclosure for this TSR is now scheduled for Tuesday January 23 2018.

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on December 5, 2017, with cURL 7.57.0 and a patch for APR 1.5.2. This release addresses vulnerabilities related to CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, and CVE-2017-12613. We strongly encourage all cURL users to upgrade to version 7.57.0 and all APR users to apply the patch.

AFFECTED VERSIONS
All versions of cURL through 7.56.1
All versions of APR through 1.5.2

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-8816 – MEDIUM
cURL 7.56.1
Fix buffer overrun flaw related to CVE-2017-8816

CVE-2017-8817 – MEDIUM
cURL 7.56.1
Fix read out of bounds flaw related to CVE-2017-8817

cPanel & WHM Version 68 has now reached the STABLE tier! There are a ton of new features that you may or may not have heard of. Let’s run through some of them!

Restore any single file from your cPanel account backups!

You can now easily restore files from any locally hosted cPanel account backup. We walk you through it in this blog post from last month!

Updated and Expanded API Token and Reseller Permissions

Permissions available for API tokens and resellers have been updated and expanded, to allow you to more granularly control what your users and token can do. The full list of updated and added permissions can be found in the cPanel & WHM version 68 release notes.

Potential Spammer Notification!

Spam is one of the hardest things to combat on any web hosting environment. We’re helping make server administrators even more aware of potential abuse on their server with this brand new notification.

New SSL notifications and AutoSSL user controls!

In version 68 we’ve added more communication around SSL and now cPanel users can see domain statuses and even trigger AutoSSL from their SSL/TLS Status interface. Read all about it in this post on the cPanel blog.

cPanel & WHM version 66 has reached End of Life and will no longer be supported by cPanel except when upgrading to a supported version.

In accordance with our EOL policy (https://go.cpanel.com/longtermsupport), 66 will continue functioning on servers where it is already installed. The last release of cPanel & WHM version 66, 66.0.34, will remain on our mirrors indefinitely. However, no further updates, such as security fixes and installations, will be provided for 66. Older releases of cPanel & WHM 66 will be removed from our mirrors.

We recommend that all customers migrate any existing installations of cPanel & WHM version 66 to the most recent version of cPanel & WHM 68, which you can read about on https://releases.cpanel.com.

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.com/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

For the PGP-signed message, see 66 EOL Now – signed.

cPanel TSR-2017-0006 Full Disclosure

SEC-236

Summary

Add ‘ssl’ to the list of reserved usernames.

Security Rating

cPanel TSR-2017-0006 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.0 to 8.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on November 7, 2017, with OpenSSL 1.0.2m. This release addresses vulnerabilities related to CVE-2017-3736 and CVE-2017-3735. We strongly encourage all OpenSSL users to upgrade to version 1.0.2m.

AFFECTED VERSIONS
All versions of OpenSSL through 1.0.2l

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-3735 – LOW
OpenSSL 1.0.2m
Fix parse error in the IPAdressFamily extension related to CVE-2017-3735

CVE-2017-3736 – MEDIUM
OpenSSL 1.0.2m
Fix carry propagating bug in x86_64 Montgomery squaring procedure related to CVE-2017-3736

We are happy to announce that cPanel, Inc. has released cPanel & WHM Version 68 to the RELEASE tier! Below are just a few of the updates included in this version.

New SSL notifications and AutoSSL user controls!

In version 68 we’ve added more communication around SSL and now cPanel users can see domain statuses and even trigger AutoSSL from their SSL/TLS Status interface. Read all about it in this blog post from last week.

Virtuozzo 7 Support

Virtuozzo 7 is a fantastic tool for many of our webhosting providers, and we’re happy to be able to add full support for Virtuozzo 7 to cPanel & WHM’s list of supported platforms.

It’s easier than ever for your clients to find you!

In version 68 cPanel & WHM resellers can now add public contact information, making it easier for their clients to get in contact with them!

More Information

Check out the cPanel Release site to see an overview of the latest features and updates cPanel & WHM has to offer! All of the details about all cPanel & WHM Version 68 features can be found in the Release Notes.

SUMMARY
cPanel, Inc. has updated RPMs for EasyApache 4 with PHP versions 5.6.32, 7.0.25 and 7.1.11, and released EasyApache 3.34.19 with PHP version 5.6.32 on October 31, 2017. This release addresses vulnerabilities related to CVE-2016-1283. We strongly encourage all PHP 5.6 users to upgrade to versions 5.6.32, all PHP 7.0 users to upgrade to version 7.0.25, and all PHP 7.1 users to upgrade to version 7.1.11.

AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.31
All versions of PHP 7.0 through 7.0.24
All versions of PHP 7.1 through 7.1.10

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-1283 – HIGH
PHP 5.6.32
Fixed bug in PCRE related to CVE-2016-1283

PHP 7.0.25
Fixed bug in PCRE related to CVE-2016-1283

cPanel & WHM versions 56 & 60 have reached End of Life and will no longer be supported by cPanel except when upgrading to a supported version.

In accordance with our EOL policy (https://go.cpanel.com/longtermsupport), 56 & 60 will continue functioning on servers where they are already installed. The last releases of cPanel & WHM version 56 & 60, 56.0.52 & 60.0.48, will remain on our mirrors indefinitely. However, no further updates, such as security fixes and installations, will be provided for versions 56 & 60. Older releases of cPanel & WHM Versions 56 & 60 will be removed from our mirrors.

We recommend that all customers migrate any existing installations of cPanel & WHM versions 56 & 60 to the most recent version of cPanel & WHM, version 68, which you can read about on https://releases.cpanel.com.

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.com/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

For the PGP-signed message, see 56 & 60 EOL Now-Signed.

Security group Check Point Research claims to have discovered a rapidly growing and evolving botnet which they believe could eventually take down the internet. This botnet consists of millions of internet connected devices, better known as the Internet of Things. They have compared its strength to the now infamous Mirai botnet, but believe it will dwarf Mirai in its speed and growth.

This latest threat has been called the Reaper botnet and makes other attacks look childish. Mirai worked by infecting unsecured devices with default passwords to add them to the botnet. The Reaper works by actively hacking and infiltrating millions of devices around the globe. Wired described it as "the difference between checking for open doors and actively picking locks."