SUMMARY
cPanel, Inc. has updated RPMs for EasyApache 4 with PHP versions 5.6.36, 7.0.30, 7.1.17, and 7.2.5 and released EasyApache 3.36.4 with PHP 5.6.36 on May 1, 2018. This release addresses vulnerabilities related to CVE-2018-10549, CVE-2018-10548, CVE-2018-10547, and CVE-2018-10546. We strongly encourage all PHP 5.6 users to update to version 5.6.36, PHP 7.0 users to update to version 7.0.30, PHP 7.1 users to update to version 7.1.17, and PHP 7.2 users to update to version 7.2.5.

AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.35
All versions of PHP 7.0 through 7.0.29
All versions of PHP 7.1 through 7.1.16
All versions of PHP 7.2 through 7.2.4

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2018-10549 – MEDIUM
PHP 5.6.36
Fixed bug in EXIF extensions related to CVE-2018-10549

PHP 7.0.30
Fixed bug in EXIF extensions related to CVE-2018-10549

cPanel & WHM version 62 will reach End of Life at the end of June, 2018, and will no longer be supported by cPanel except when upgrading to a supported version.

In accordance with our EOL policy (https://go.cpanel.net/longtermsupport), 62 will continue functioning on servers where it is already installed. However, no further updates, such as security fixes and installations, will be provided for 62 once it reaches End of Life.

We recommend that all customers migrate any existing installations of cPanel & WHM version 62 to the most recent version of cPanel & WHM 70, which you can read about on https://releases.cpanel.com.

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

For the PGP-signed message, see 62EOL2Months-signed.

cPanel, Inc. has updated RPMs for EasyApache 4 with Apache version 2.4.33 and PHP versions 5.6.35, 7.0.29, 7.1.16, and 7.2.4 and released EasyApache 3.36.3 with Apache version 2.4.33 and PHP 5.6.35 on April 3, 2018. This release addresses vulnerabilities related to CVE-2017-15710, CVE-2018-1283, CVE-2018-1303, CVE-2018-1301, CVE-2017-15715, CVE-2018-1312, and CVE-2018-1302. We strongly encourage all Apache 2.4 users to upgrade to version 2.4.33 and all PHP 5.6 users to update to version 5.6.35, PHP 7.0 users to update to version 7.0.29, PHP 7.1 users to update to version 7.1.16, and PHP 7.2 users to update to version 7.2.4.

AFFECTED VERSIONS
All versions of Apache 2.4 through 2.4.29
All versions of PHP 5.6 through 5.6.34
All versions of PHP 7.0 through 7.0.28
All versions of PHP 7.1 through 7.1.15
All versions of PHP 7.2 through 7.2.3

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2018-1301 – MEDIUM
Apache 2.4.33
Fixed bug in core related to CVE-2018-1301

CVE-2018-1302 – MEDIUM
Apache 2.4.33
Fixed bug in mod_http2 related to CVE-2018-1302

cPanel TSR-2018-0002 Full Disclosure

SEC-338

Summary

Arbitrary file chmod during legacy incremental backups.

Security Rating

cPanel TSR-2018-0002 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 3.8 to 8.2.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on Mar 06, 2018, with PHP versions 5.6.34, 7.0.28, 7.1.15, and 7.2.3. This release addresses vulnerabilities related to CVE-2018-7584. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.34, all PHP 7.0 users to upgrade to 7.0.28, PHP 7.1 users to upgrade to version 7.1.15, and all PHP 7.2 users to upgrade to version 7.2.3.

AFFECTED VERSIONS
All versions of PHP 5.6 through version 5.6.33
All versions of PHP 7.0 through version 7.0.27
All versions of PHP 7.1 through version 7.1.14
All versions of PHP 7.2 through version 7.2.2

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2018-7584 – MEDIUM
PHP 5.6.34
Fixed bug in http_fopen_wrapper.c related to CVE-2018-7584
PHP 7.0.28
Fixed bug in http_fopen_wrapper.c related to CVE-2018-7584
PHP 7.1.15
Fixed bug in http_fopen_wrapper.c related to CVE-2018-7584
PHP 7.2.3
Fixed bug in http_fopen_wrapper.c related to CVE-2018-7584

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on Mar 06, 2018, with updated versions of PHP 5.6.34, 7.0.28, 7.1.15, and 7.2.3. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

Version 70’s promotion to the RELEASE tier has been delayed and is now tentatively planned for mid-April, 2018. This delay gives us time to address some performance concerns we have uncovered in our testing that may cause problems on high-capacity systems.

Version 72 will be promoted to the EDGE tier after version 70 is promoted to the RELEASE tier. We aren’t currently anticipating a delay in releasing version 72.

More Information

Check out the cPanel Release site to see an overview of the latest features and updates cPanel & WHM has to offer! All of the details about all cPanel & WHM Version 70 features can be found in the Release Notes http://go.cpanel.net/releasenotes.

Support for the current LTS (Long Term Support) version, cPanel & WHM Version 62, has been extended to June 30th, 2018. This extension is a one-time extension and has been granted to help ease the scheduling pressure caused by security flaws in the kernel of many servers that use cPanel & WHM.

Support is not extended for any other Version, and Version 70 will still be the only new cPanel & WHM version to enter the LTS tier in 2018.

As of June 30th, 2018 Version 62 will no longer be supported by cPanel except when upgrading to a supported version.

In accordance with our EOL policy (https://go.cpanel.com/longtermsupport), 62 will continue functioning on servers where it is already installed. However, no further updates, including security fixes and installations, will be provided for 62 once it reaches End of Life.

The next LTS version of cPanel & WHM, version 70, is the CURRENT tier. We anticipate version 70 entering the STABLE tier in early- to mid-March.

SUMMARY
cPanel, Inc. has updated RPMs for EasyApache 4 with cURL version 7.58.0 on January 25, 2018. This release addresses vulnerabilities related to CVE-2018-1000007. We strongly encourage cURL users to upgrade to version 7.58.0.

AFFECTED VERSIONS
All versions of cURL through 7.57.0

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2018-1000007 – MEDIUM
cURL 7.58.0
Fixed bug in authorization: headers related to CVE-2018-1000007

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2018, with a updated versions of cURL 7.58.0. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

cPanel TSR-2018-0001 Full Disclosure

SEC-308

Summary

SRS secret revealed in exim.conf.

Security Rating

cPanel TSR-2018-0001 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 6.5.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SUMMARY
cPanel, Inc. has updated RPMs for EasyApache 4 with PHP versions 5.6.33, 7.0.27, 7.1.13, and 7.2.1 and released EasyApache 3.34.20 with PHP version 5.6.33 on January 9, 2018. This release addresses vulnerabilities related to CVE-2015-8866. We strongly encourage all PHP 5.6 users to upgrade to versions 5.6.33, all PHP 7.0 users to upgrade to version 7.0.27, all PHP 7.1 users to upgrade to version 7.1.13, and all PHP 7.2 users to upgrade to version 7.2.1.

AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.32
All versions of PHP 7.0 through 7.0.26
All versions of PHP 7.1 through 7.1.12
All versions of PHP 7.2 through 7.2.0

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2015-8866 – HIGH
PHP 7.0.27
Fixed bug in LibXML related to CVE-2015-8866

PHP 7.1.13
Fixed bug in LibXML related to CVE-2015-8866

cPanel TSR-2018-0001, originally scheduled for Monday January 15 2018, has been delayed one week and is now scheduled for release on Monday January 22 2018. The full disclosure for this TSR is now scheduled for Tuesday January 23 2018.

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on December 5, 2017, with cURL 7.57.0 and a patch for APR 1.5.2. This release addresses vulnerabilities related to CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, and CVE-2017-12613. We strongly encourage all cURL users to upgrade to version 7.57.0 and all APR users to apply the patch.

AFFECTED VERSIONS
All versions of cURL through 7.56.1
All versions of APR through 1.5.2

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-8816 – MEDIUM
cURL 7.56.1
Fix buffer overrun flaw related to CVE-2017-8816

CVE-2017-8817 – MEDIUM
cURL 7.56.1
Fix read out of bounds flaw related to CVE-2017-8817

cPanel & WHM Version 68 has now reached the STABLE tier! There are a ton of new features that you may or may not have heard of. Let’s run through some of them!

Restore any single file from your cPanel account backups!

You can now easily restore files from any locally hosted cPanel account backup. We walk you through it in this blog post from last month!

Updated and Expanded API Token and Reseller Permissions

Permissions available for API tokens and resellers have been updated and expanded, to allow you to more granularly control what your users and token can do. The full list of updated and added permissions can be found in the cPanel & WHM version 68 release notes.

Potential Spammer Notification!

Spam is one of the hardest things to combat on any web hosting environment. We’re helping make server administrators even more aware of potential abuse on their server with this brand new notification.

New SSL notifications and AutoSSL user controls!

In version 68 we’ve added more communication around SSL and now cPanel users can see domain statuses and even trigger AutoSSL from their SSL/TLS Status interface. Read all about it in this post on the cPanel blog.

cPanel & WHM version 66 has reached End of Life and will no longer be supported by cPanel except when upgrading to a supported version.

In accordance with our EOL policy (https://go.cpanel.com/longtermsupport), 66 will continue functioning on servers where it is already installed. The last release of cPanel & WHM version 66, 66.0.34, will remain on our mirrors indefinitely. However, no further updates, such as security fixes and installations, will be provided for 66. Older releases of cPanel & WHM 66 will be removed from our mirrors.

We recommend that all customers migrate any existing installations of cPanel & WHM version 66 to the most recent version of cPanel & WHM 68, which you can read about on https://releases.cpanel.com.

If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.com/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more.

For the PGP-signed message, see 66 EOL Now – signed.

cPanel TSR-2017-0006 Full Disclosure

SEC-236

Summary

Add ‘ssl’ to the list of reserved usernames.

Security Rating

cPanel TSR-2017-0006 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated these updates as having CVSSv3 scores ranging from 2.0 to 8.8.

Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on November 7, 2017, with OpenSSL 1.0.2m. This release addresses vulnerabilities related to CVE-2017-3736 and CVE-2017-3735. We strongly encourage all OpenSSL users to upgrade to version 1.0.2m.

AFFECTED VERSIONS
All versions of OpenSSL through 1.0.2l

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-3735 – LOW
OpenSSL 1.0.2m
Fix parse error in the IPAdressFamily extension related to CVE-2017-3735

CVE-2017-3736 – MEDIUM
OpenSSL 1.0.2m
Fix carry propagating bug in x86_64 Montgomery squaring procedure related to CVE-2017-3736

We are happy to announce that cPanel, Inc. has released cPanel & WHM Version 68 to the RELEASE tier! Below are just a few of the updates included in this version.

New SSL notifications and AutoSSL user controls!

In version 68 we’ve added more communication around SSL and now cPanel users can see domain statuses and even trigger AutoSSL from their SSL/TLS Status interface. Read all about it in this blog post from last week.

Virtuozzo 7 Support

Virtuozzo 7 is a fantastic tool for many of our webhosting providers, and we’re happy to be able to add full support for Virtuozzo 7 to cPanel & WHM’s list of supported platforms.

It’s easier than ever for your clients to find you!

In version 68 cPanel & WHM resellers can now add public contact information, making it easier for their clients to get in contact with them!

More Information

Check out the cPanel Release site to see an overview of the latest features and updates cPanel & WHM has to offer! All of the details about all cPanel & WHM Version 68 features can be found in the Release Notes.