cPanel TSR-2017-0004 Full Disclosure
Stored XSS during WHM cPAddons install.
cPanel TSR-2017-0004 Announcement
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 5.0.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
cPanel, Inc. has released updated RPMs for EasyApache 4 on July 12, 2017, with PHP versions 5.6.31, 7.0.21, and 7.1.7. This release addresses vulnerabilities related to CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229, and CVE-2017-7890. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.31, all PHP 7.0 users to upgrade to version 7.0.21, and all PHP 7.1 users to upgrade to version 7.1.7.
All versions of PHP 5.6 through 5.6.30
All versions of PHP 7.0 through 7.0.20
All versions of PHP 7.1 through 7.1.6
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2017-9224 – HIGH
Fixed bug in mbstring extension related to CVE-2017-9224
cPanel & WHM version 58 will reach End of Life in 1 month, at the end of July, 2017. cPanel & WHM versions 56 and 60 will also reach End of Life at the end of October, 2017.
In accordance with our EOL policy (https://go.cpanel.com/longtermsupport), when a version of cPanel & WHM reaches End of Life it will no longer be supported by cPanel, except when upgrading to a supported version. The software will continue functioning on servers where it is already installed. However, no further updates, including security and feature updates, will be provided once it reaches End of Life.
We recommend that all customers migrate any existing installations of cPanel & WHM version 56, 58, and 60 to the most recent version of cPanel & WHM 64, which you can read about on https://releases.cpanel.com.
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.com/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.
For the PGP-signed message, see 58 EOL 1 Month-signed.
Houston, Texas – June, 2017 – cPanel, Inc., the Hosting Platform of Choice, is excited to announce evening events for its 2017 cPanel Conference in Fort Lauderdale, Florida on September 26th and 27th. All three evening events are included in the cost of an attendee ticket.
Monday night we kick off at Blue Martini. This event will be a chance to meet and catch up with cPanel staff and all your friends in the webhosting industry, as well as enjoy refreshments and assortment of appetizers.
Tuesday evening’s event, hosted at Stache, will be celebrating 20 Years of cPanel. While you will have plenty of time and space for chatting and networking, we will also be hosting a full evening of entertainment from the singer-songwriter and internet phenomenon Jonathan Coulton. Hits like “Code Monkey,” “Still Alive,” and “I feel Fantastic” will delight all attendees.
Wednesday night you need only go as far as the conference hotel’s rooftop terrace to join us. There you can show off your board game skills at our Board Game Social. Life size versions of your favorite games such as Jenga and battleship will be available for all attendees, as well as a large assortment of other board and card games.
“While the learning that is done during the day is important, the networking events at cPanel Conferences have always been where the lasting relationships are formed,” said Ken Power, Vice President of Product Development. “With a large portion of the cPanel staff in attendance, it’s important to us that our internal and external communities have time to get to know and understand each other.”