cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 5.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

As a leader in the hostingmanagement industry, cPanel continuously serves Web Hosting Providers and System Administrators with multiple integrated options to protect their servers. 

Houston, TX – February 3, 2020 – cPanel, L.L.C., an industry-leading hosting server management solution for the past 20 years, announced it is adding ImunifyAV+ to the suite of server security applications that integrates directly into its flagship product. The product extensions allow systems administrators to protect their installations and defend against cybersecurity threats directly from their cPanel & WHM dashboard.

ImunifyAV+ is now available for cPanel & WHM users, complementing the existing ImunifyAV application, adding extra functionality to allow infected files to be cleaned with a single click. This one-click removal makes blocking and preventing malicious code from spreading across a server environment simple.

Knowing how vital server security is, cPanel began offering CloudLinux’s ImunifyAV at no extra cost and provided their partners and customers the choice to add Imunify360, a robust security suite, to all accounts for a small monthly fee. ImunifyAV is a scanner that identifies malware and viruses, and Imunify360 is a complete security suite offering scanning, cleanup, firewalls, and proactive defenses.

“We’re proud to offer even more security options so our customers can protect their IT infrastructure,” said Kenneth Power, Vice President of Product Development at cPanel. “We now offer multiple solutions to both identify and solve security problems faced by the industry every day, providing peace of mind that servers are safeguarded from destructive virtual attacks.”

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on Discord or Reddit to talk about this update and much more.

2020-02-26

ea-openssl
     • EA-8870: Update ea-openssl from v1.0.2t to v1.0.2u

ea-profiles-cpanel
     • EA-8864: Add php73 to the mpm_itk and worker profiles

ea-tomcat85
     • EA-8875: Update ea-tomcat85 from v8.5.50 to v8.5.51

libcurl
     • EA-8843: Update libcurl from v7.67.0 to v7.68.0

We are happy to announce that cPanel, L.L.C. has released cPanel & WHM Version 86 to the RELEASE tier! cPanel & WHM Version 86 introduces a slew of new tools and improvements to the product. With upgrades to EasyApache 4’s OpenSSL version, the introduction of TLS v1.3, a number of new and improved interfaces, a standalone mail server and more, cPanel & WHM is better than ever.

Take a look at highlights for this version on our release site, or check out the full release notes. Then, join us on Slack, Discord, or Reddit!

Streamlined Directory Privacy interface

In cPanel & WHM Version 86, we are adding the Actions column to cPanel’s Directory Privacy interface allowing system administrators to set the directory privacy permissions for all of the subdirectories within a directory. | Read More

File Manager access when account is at full disk space

cPanel users who have reached their account disk space limit are now able to use cPanel’s File Manager to delete files. | Read More

AutoSSL improvements for DNS Certificate Authority Authorization records

We are improving the AutoSSL feature’s automatic creation of CAA records to now recognize subdomains and wildcard domains, as well as creating all of the CAA records needed to ensure that AutoSSL will issue certificates. | Read More

We are happy to announce that cPanel, L.L.C. has released cPanel & WHM Version 86 to the CURRENT tier! cPanel & WHM Version 86 introduces a slew of new tools and improvements to the product. With upgrades to EasyApache 4’s OpenSSL version, the introduction of TLS v1.3, a number of new and improved interfaces, a standalone mail server and more, cPanel & WHM is better than ever.

Take a look at highlights for this version on our release site, or check out the full release notes. Then, join us on Slack, Discord, or Reddit!

Upgrade EasyApache 4’s OpenSSL version to OpenSSL 1.1.1

In cPanel & WHM Version 86, we are upgrading EasyApache 4’s version of OpenSSL to version 1.1.1, enabling the use of Transport Layer Security (TLS) protocol version 1.3. You can select TLSv1.3 in the SSL/TLS Protocols option in WHM’s Global Configuration interface. | Read More

New DNS Zone Manager interface

System Administrators are now able to manage server’s DNS zones with WHM’s DNS Zone Manager interface, making the process of creating and managing DNS zone records simpler. | Read More

LTS Tier Updates

We are improving cPanel & WHM’s LTS tier to automatically update when new LTS versions are available. The Update Preferences interface is being updated to improve setting a release tier and other update settings. | Read More

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on Slack, Discord, or Reddit to talk about this update and much more.

EA4

ea-apache2
     • COBRA-10700: Optimize finding a module

ea-apache2-config
     • EA-8629: Prevent caching of defaultwebpage.cgi redirect

ea-cpanel-tools
     • EA-8784: Add PHP 7.1 to EOL recommendations

SEC-515

Summary

Self-XSS vulnerability via temporary character set specification.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 4.7 to 9.1.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES

cPanel is updating our Privacy Policy in our continued commitment to helping customers and users of our software understand how we use their data and to provide transparency. The Privacy Policy has been updated to facilitate compliance with the CCPA (California Consumer Protection Act), taking effect on January 1st, 2020. Additionally, cPanel has created several links that allow users to determine what information that cPanel has and to request that we take actions related to that data. These actions include adding sections to reflect updates to our use of information and some technical corrections.

This post is a simple summary of the updates to the Privacy Policy, and we highly recommend reviewing the policy in its entirety, located here. 

Sale of Personal Information

The CCPA requires cPanel to disclose whether cPanel “sells” personal information. cPanel does not commercialize user information in the traditional sense. However, because some personal data is transmitted to third parties to facilitate the use of products and services, we have provided more details about this use. Our Privacy Policy contains a method for you to decide to instruct us not to use your information in this way, regardless of whether it is a “sale” in the traditional sense. We will provide other ways to make this choice in the future. It is essential that you review our privacy policy for the impact that this choice may have before making it.

Authentication

FOR IMMEDIATE RELEASE

System Administrators, Web Hosting Providers can access cPanel & WHM for cloud servers and virtual machines with GCP Marketplace.  

Houston, Texas – December 20, 2019 – cPanel L.L.C., a hosting server management solution, announced its availability on Google Cloud Platform Marketplace (GCP Marketplace), allowing customers to easily launch a Google Cloud instance with a cPanel & WHM® image. Under this new collaboration, hosting providers and direct consumers can install a license immediately after they spin up their Google Compute Engine™ instance and quickly set up and administer accounts. 

cPanel & WHM is a robust web hosting automation software suite. Containing all of the essential tools needed for hosting providers and resellers to manage customer accounts, create and maintain websites, and to secure and optimize their servers, cPanel & WHM is an integral part of supporting operations at some of the world’s most well-known hosting providers, including virtual machines and cloud servers. GCP Marketplace allows customers to easily start up familiar software packages such as cPanel & WHM with Google Compute Engine, with no manual configuration required.

“cPanel is excited to be a part of GCP Marketplace. This platform is popular with our partners and we’re looking forward to supporting them as they turn to hyperscale solutions,” says Todd Mitchell, Chief Operating Officer of WebPros™, cPanel’s parent company.

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on Slack, Discord, or Reddit to talk about this update and much more.

• scl-php72
• scl-phh72-meta
     • EA-8797: Update scl-php72 from v7.2.25 to v7.2.26
     • Bcmath:
          • Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
     • Core:
          • Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
          • Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
     • EXIF:
          • Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
          • Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047)

• scl-php73
• scl-php73-meta
     • EA-8798: Update scl-php73 from v7.3.12 to v7.3.13     
     • Bcmath:
          • Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)     
     • Core:
          • Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
          • Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
          • Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049)
     • EXIF:
          • Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
          • Fixed bug #78910 (Heap-buffer-overflow READ in exif) (CVE-2019-11047)

This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.

SUMMARY
cPanel, L.L.C. has updated RPMs for EasyApache 4 with PHP versions 7.2.26 and 7.3.13. This release addresses vulnerabilities related to CVE-2019-11046, CVE-2019-11044, CVE-2019-11045, CVE-2019-11049, CVE-2019-11050, and CVE-2019-11047. We strongly encourage all PHP 7.2 users to upgrade to version 7.2.26 and all PHP 7.3 users to upgrade to version 7.3.13.

cPanel & WHM Version 82 Now EOL

December 18, 2019

With last week’s move to STABLE for Version 84, cPanel & WHM Version 82 has reached End of Life. This version will now only be supported by cPanel when upgrading to a supported version.

In accordance with our EOL policy, Version 82 will continue to function on servers where it is already installed. The last release of cPanel & WHM Version 84, 84.0.17, will remain on our mirrors indefinitely. However, no further updates, including fixes for known security flaws, will be provided for Version 82. Older releases of cPanel & WHM will be removed from our mirrors.

We recommend that all customers upgrade any existing installations of cPanel & WHM Version 82 to the most recent version of cPanel & WHM Version 84, which you can read about on https://releases.cpanel.net.

If your server setup complicates the process of upgrading to a supported version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgable support team can provide recommendations, upgrade assistance, and more.

SEC-499

Summary

Authentication bypass due to variations in webmail username handling.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.5 to 8.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

RELEASES