SEC-515
Summary
Self-XSS vulnerability via temporary character set specification.
Security Rating
cPanel has assigned this vulnerability a CVSSv3 score of 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
© Cpanel
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv3 scores ranging from 4.7 to 9.1.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
© Cpanel
cPanel is updating our Privacy Policy in our continued commitment to helping customers and users of our software understand how we use their data and to provide transparency. The Privacy Policy has been updated to facilitate compliance with the CCPA (California Consumer Protection Act), taking effect on January 1st, 2020. Additionally, cPanel has created several links that allow users to determine what information that cPanel has and to request that we take actions related to that data. These actions include adding sections to reflect updates to our use of information and some technical corrections.
This post is a simple summary of the updates to the Privacy Policy, and we highly recommend reviewing the policy in its entirety, located here.
Sale of Personal Information
The CCPA requires cPanel to disclose whether cPanel “sells” personal information. cPanel does not commercialize user information in the traditional sense. However, because some personal data is transmitted to third parties to facilitate the use of products and services, we have provided more details about this use. Our Privacy Policy contains a method for you to decide to instruct us not to use your information in this way, regardless of whether it is a “sale” in the traditional sense. We will provide other ways to make this choice in the future. It is essential that you review our privacy policy for the impact that this choice may have before making it.
Authentication
© Cpanel
FOR IMMEDIATE RELEASE
System Administrators, Web Hosting Providers can access cPanel & WHM for cloud servers and virtual machines with GCP Marketplace.
Houston, Texas – December 20, 2019 – cPanel L.L.C., a hosting server management solution, announced its availability on Google Cloud Platform Marketplace (GCP Marketplace), allowing customers to easily launch a Google Cloud instance with a cPanel & WHM® image. Under this new collaboration, hosting providers and direct consumers can install a license immediately after they spin up their Google Compute Engine™ instance and quickly set up and administer accounts.
cPanel & WHM is a robust web hosting automation software suite. Containing all of the essential tools needed for hosting providers and resellers to manage customer accounts, create and maintain websites, and to secure and optimize their servers, cPanel & WHM is an integral part of supporting operations at some of the world’s most well-known hosting providers, including virtual machines and cloud servers. GCP Marketplace allows customers to easily start up familiar software packages such as cPanel & WHM with Google Compute Engine, with no manual configuration required.
“cPanel is excited to be a part of GCP Marketplace. This platform is popular with our partners and we’re looking forward to supporting them as they turn to hyperscale solutions,” says Todd Mitchell, Chief Operating Officer of WebPros™, cPanel’s parent company.
© Cpanel
We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on Slack, Discord, or Reddit to talk about this update and much more.
• scl-php72
• scl-phh72-meta
• EA-8797: Update scl-php72 from v7.2.25 to v7.2.26
• Bcmath:
• Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
• Core:
• Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
• Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
• EXIF:
• Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
• Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047)
• scl-php73
• scl-php73-meta
• EA-8798: Update scl-php73 from v7.3.12 to v7.3.13
• Bcmath:
• Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
• Core:
• Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
• Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
• Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049)
• EXIF:
• Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
• Fixed bug #78910 (Heap-buffer-overflow READ in exif) (CVE-2019-11047)
This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.
SUMMARY
cPanel, L.L.C. has updated RPMs for EasyApache 4 with PHP versions 7.2.26 and 7.3.13. This release addresses vulnerabilities related to CVE-2019-11046, CVE-2019-11044, CVE-2019-11045, CVE-2019-11049, CVE-2019-11050, and CVE-2019-11047. We strongly encourage all PHP 7.2 users to upgrade to version 7.2.26 and all PHP 7.3 users to upgrade to version 7.3.13.
© Cpanel
© Cpanel
December 18, 2019
With last week’s move to STABLE for Version 84, cPanel & WHM Version 82 has reached End of Life. This version will now only be supported by cPanel when upgrading to a supported version.
In accordance with our EOL policy, Version 82 will continue to function on servers where it is already installed. The last release of cPanel & WHM Version 84, 84.0.17, will remain on our mirrors indefinitely. However, no further updates, including fixes for known security flaws, will be provided for Version 82. Older releases of cPanel & WHM will be removed from our mirrors.
We recommend that all customers upgrade any existing installations of cPanel & WHM Version 82 to the most recent version of cPanel & WHM Version 84, which you can read about on https://releases.cpanel.net.
If your server setup complicates the process of upgrading to a supported version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.net/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgable support team can provide recommendations, upgrade assistance, and more.
© Cpanel
© Cpanel
© Cpanel
© Cpanel
SEC-499
Summary
Authentication bypass due to variations in webmail username handling.
Security Rating
cPanel has assigned this vulnerability a CVSSv3.1 score of 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
© Cpanel
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv3 scores ranging from 2.5 to 8.8.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
© Cpanel
We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on Slack, Discord, or Reddit to talk about this update and much more.
ea-cpanel-tools
ZC-5740: Add yum var to ea4_repo_uri_os.
ea-nodejs10
EA-8715: Update ea-nodejs10 to 10.17.0, drop 10.16.3.
php-cli
EA-7961: Remove deprecated -ea_php flag
scl-php71
scl-php71-meta
EA-8722: Update scl-php71 to 7.1.33, drop 7.1.32.
© Cpanel
© Cpanel
cPanel Announces Its Newest Partnership With Linode
October 29, 2019
cPanel, L.L.C., the Hosting Platform of Choice, announces its newest partnership with Linode, allowing simplified server management by providing access to cPanel & WHM® on Linode.
Houston, Texas, October 29, 2019 – cPanel is excited to announce a new partnership with independent open cloud provider Linode. cPanel & WHM is now available directly from the Linode Cloud Manager.
Interfacing seamlessly with CentOS7, the partnership brings together the simplicity and intuitiveness of cPanel & WHM with the reliability of Linux®. As a result, creating new websites and hosting environments is faster and easier than ever. cPanel & WHM on Linode allows users to access the full suite of robust cPanel features and world-class customer service. Users can not only manage their web hosting, they can also easily manage webmail, forwarding, email authentication, and handle spam all in one place.
© Cpanel
© Cpanel
© Cpanel
© Cpanel
We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! This release includes updates a number of PHP versions, libcurl, ea-tomcat85, openssl, apache2-config and more! Join us on Slack, Discord, or Reddit to talk about this update and much more.
• yum-plugin-universal-hooks
ZC-5357: skip duplicate members to avoid running a hook more than once for no reason
• scl-php54
• scl-php55
• scl-php56
• scl-php70
• scl-php71
• scl-php72
• scl-php73
EA-8549: Build php-fpm with pcntl
• libcurl
EA-8649: Update libcurl from v7.65.3 to v7.66.0
• ea-tomcat85
EA-8645: Update spec file to use %{version} in source file
© Cpanel
cPanel®, the Hosting Platform of ChoiceTM, announces a new technology partnership with Alibaba Cloud. cPanel & WHM® is immediately available in the Alibaba Cloud International Marketplace.
Houston, Texas, September 2019 – cPanel is excited to announce a new technology partnership with Alibaba Cloud. cPanel & WHM is immediately available in the Alibaba Cloud International Marketplace.
Established in 2009, Alibaba Cloud, the data intelligence backbone of Alibaba Group, is among the world’s top three IaaS providers, according to Gartner. It is also the largest provider of public cloud services in China, according to IDC. Alibaba Cloud provides a comprehensive suite of cloud computing services to businesses worldwide, including merchants doing business on Alibaba Group marketplaces, start-ups, corporations, and public services. The Alibaba Cloud International Marketplace offers a variety of pre-installed and secure software images on their Elastic Compute Service (ECS).
Integrating cPanel & WHM’s robust toolset and world-class support with Alibaba Cloud is a strategic next step for cPanel as it continues to expand its global presence. By partnering with Alibaba Cloud and making cPanel & WHM readily available, our customers can quickly deploy resources and grow their businesses on highly scalable and global infrastructure.
“We’re excited to partner with Alibaba Cloud–a leading Cloud provider to extend the global reach of cPanel and WHM. Alibaba’s strong presence across Asia provides our customers the opportunity to grow alongside cPanel in the global community,” said Todd Mitchell, Chief Operating Officer, cPanel, a WebPros company.
© Cpanel
