We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.
ea-apache24-mod-passengerEA-10945: ea-passenger-src was updated from v6.0.14 to v6.0.15ea-apache2-configEA-10935: Account for IPv6 addresses when setting up mod_remoteipEA-10912: Setup mod_remoteip to work with all the server IPs ea-nginxEA-10751: Leave X-Forwarded-Host blank for service subdomainsEA-10671: Calculate ‘server_names_hash_bucket_size’ and ‘server_names_hash_max_size’ at config timeEA-10913: “no resolver defined” error under a specific circumstance ea-nodejs16EA-10948: Update ea-nodejs16 from v16.17.0 to v16.17.1CVE-2022-32212: DNS rebinding in –inspect on macOS (High)CVE-2022-32213: bypass via obs-fold mechanic (Medium)CVE-2022-35255: Weak randomness in WebCrypto keygenCVE-2022-35256: HTTP Request Smuggling – Incorrect Parsing of Header Fields (Medium)ea-passenger-srcEA-10945: Update ea-passenger-src from v6.0.14 to v6.0.15ea-php80ZC-10260: Link deb against libcurl 4 explicitlyea-php81ZC-10260: Link deb against libcurl 4 explicitly ea-ruby27-passengerEA-10946: Update ea-ruby27-passenger from v6.0.14 to v6.0.15
This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.
SUMMARY
cPanel, L.L.C. has updated packages for EasyApache 4 with NodeJS version 16.17.1. This release addresses vulnerabilities related to CVE-2022-32212, CVE-2022-32213, CVE-2022-35255, and CVE-2022-35256. We strongly encourage all NodeJS users to update to version 16.17.1.
AFFECTED VERSIONS
All versions of NodeJS through 16.17.0.
SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
