Jump to content


Photo

cPanel advisories/updates


  • Please log in to reply
40 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 15 December 2010 - 04:27 PM

FYI...

cPanel vuln - updates...
- http://secunia.com/advisories/42625
Release Date: 2010-12-15
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: cPanel 11.x
CVE Reference(s):
- http://web.nvd.nist....d=CVE-2010-4344
- http://web.nvd.nist....d=CVE-2010-4345
Solution: Apply patches available via cPanel's package management system.
Original Advisory:
- http://www.cpanel.ne...-2010-4344.html
- http://www.cpanel.ne...ity-update.html
"... rated as Critical by the cPanel Security team..."

:ph34r: :ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 01 June 2012 - 10:50 AM

FYI...

cPanel 2012-05-31 security update
- https://secunia.com/advisories/49363/
Last Update: 2012-06-05
Criticality level: Moderately critical
Impact: Unknown
Where: From remote ...
... vulnerabilities are reported in versions prior to 11.30.6.8, 11.32.2.28, and 11.32.3.19.
Solution: Update to version 11.30.6.8, 11.32.2.28, or 11.32.3.19.
Software: cPanel 11.x
Original Advisory: http://go.cpanel.net/changelog
Security Release 2012-05-31 Announcement
May 31, 2012 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system..."

:!: :ph34r:

Edited by AplusWebMaster, 04 July 2012 - 08:29 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 05 December 2012 - 08:53 AM

FYI...

cPanel - updates available
- https://secunia.com/advisories/51494/
Release Date: 2012-12-05
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
Software: cPanel 11.x
... vulnerabilities are reported in versions prior to 11.30.7.4, 11.32.5.15, and 11.34.0.11.
Solution: Update to version 11.30.7.4, 11.32.5.15, or 11.34.0.11.
Original Advisory:
http://cpanel.net/im...anel-whm-11-30/
http://cpanel.net/im...ate-cpanel-whm/
http://cpanel.net/im...ase-cpanel-whm/

:!: :!: :ph34r:

Edited by AplusWebMaster, 05 December 2012 - 08:54 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 23 February 2013 - 10:59 AM

FYI...

SSHD rootkit in the wild
- https://isc.sans.edu...l?storyid=15229
Last Updated: 2013-02-22 18:32:22 UTC
"UPDATE: Over the night (depending on where you live), a lot of things happened... cPanel also posted a notice to their users that they have been compromised... keep in mind – if your servers are infected with the SSHD rootkit, the attackers will get your passwords/keys *anyway* ... So make sure that you check if your server has been compromised and that you clean it accordingly..."

- https://isc.sans.edu...d/15229#comment
Fri Feb 22 2013, 01:49 - "... just in from cpanel: Salutations... cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis. As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue..."

- http://atlas.arbor.n...dex#-1814325122
Elevated Severity
Feb 26, 2013
Source:  http://arstechnica.c...mediate-action/
Feb 23 2013

- http://blog.sucuri.n...ompromised.html
Feb 22, 2013

:ph34r: :grrr:


Edited by AplusWebMaster, 01 March 2013 - 06:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 26 February 2013 - 11:41 AM

FYI...

cPanel & WHM 11.36, 11.34, and 11.32 Security Releases
- https://cpanel.net/i...urity-releases/
Feb 26, 2013 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having important security impact. Information on security ratings is available at:
- http://go.cpanel.net/securitylevels

Determine Your System's Status
- http://docs.cpanel.n...tion/CompSystem
Feb 25, 2013

:ph34r: :ph34r:


Edited by AplusWebMaster, 28 February 2013 - 03:41 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 08 July 2013 - 10:48 AM

FYI...

cPanel cpanellogd vulns - update available
- https://secunia.com/advisories/53921/
Release Date: 2013-07-08
Criticality: Moderately Critical
Where: From remote
Impact: Privilege escalation
... vulnerabilities are reported in versions prior to 11.38.1.4, 11.38.0.19, 11.36.1.9, 11.34.1.17, and 11.32.6.8.
Solution: Update to version 11.38.1.4, 11.38.0.19, 11.36.1.9, 11.34.1.17, or 11.32.6.8.
Original Advisory: cPanel:
http://cpanel.net/cp...-tsr-2013-0007/
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 14 August 2013 - 12:14 PM

FYI...

cPanel updated ...
- https://secunia.com/advisories/54455/
Release Date: 2013-08-14
Where: From remote
Impact: Hijacking, Manipulation of data
Solution Status: Vendor Patch
Software: cPanel 11.x
... vulnerabilities are reported in versions prior to 11.32.6.17, 11.34.1.25, 11.36.1.15, 11.38.1.13, and 11.39.0.5.
Solution: Update to version 11.32.6.17, 11.34.1.25, 11.36.1.15, 11.38.1.13, or 11.39.0.5.
Original Advisory: cPanel:
http://cpanel.net/ts...008-disclosure/

- http://httpupdate.cpanel.net/
 

:ph34r:


Edited by AplusWebMaster, 14 August 2013 - 12:15 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 03 September 2013 - 05:52 PM

FYI...

cPanel - updates available
- https://secunia.com/advisories/54601/
Release Date: 2013-09-03
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, System access
Software: cPanel 11.x
... vulnerabilities... are reported in versions prior to 11.32.7.3, 11.34.2.4, 11.36.2.3, 11.38.2.6, and 11.39.0.15.
Solution: Update to version 11.32.7.3, 11.34.2.4, 11.36.2.3, 11.38.2.6, or 11.39.0.15.
Original Advisory: cPanel:
http://cpanel.net/se...ory-2013-08-27/
> http://cpanel.net/wp...dDisclosure.txt

> https://blog.rack911...rage-r911-0056/
https://blog.rack911...vice-r911-0054/ Impact: High
https://blog.rack911...tion-r911-0053/
https://blog.rack911...tion-r911-0052/ Impact: High
https://blog.rack911...ions-r911-0051/
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 04 September 2013 - 02:22 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 18 October 2013 - 07:21 AM

FYI...

cPanel CloudFlare Plugin - Privilege Escalation Vuln
- https://secunia.com/advisories/55273/
Release Date: 2013-10-18
Criticality: Moderately Critical
... vulnerability is reported in version 4.1. Prior versions may also be affected.
Solution: Update to version 4.2.
Original Advisory: Rack911:
https://blog.rack911...lity-r911-0080/
2013-10-15 - "... rated as CRITICAL due to the fact that root access can be obtained..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 21 December 2013 - 07:50 AM

FYI...

cPanel updates ...
- https://secunia.com/advisories/56146/
Release Date: 2013-12-20
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation
Software: cPanel 11.x
CVE Reference: https://web.nvd.nist...d=CVE-2013-6780
... security issue is reported in versions prior to 11.40.1.3, 11.40.0.29, and 11.38.2.13.
Solution: Update to version 11.40.1.3, 11.40.0.29, 11.38.2.13, or 11.36.2.10 or later.
Original Advisory: http://cpanel.net/ts...1-announcement/

- http://www.securityt....com/id/1029528
CVE Reference: https://web.nvd.nist...d=CVE-2013-6780
Dec 20 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Solution: The vendor has issued a fix (11.36.2.10, 11.38.2.13, 11.40.1.3, 11.40.0.29).
- http://cpanel.net/ts...ull-disclosure/
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 23 December 2013 - 07:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 26 December 2013 - 09:12 AM

FYI...

cPanel 11.40.1.7 released
- https://secunia.com/advisories/56207/
Release Date: 2013-12-24
Where: From remote
Impact: Exposure of sensitive information
Software: cPanel 11.x
CVE Reference: No CVE references.
... vulnerability has been reported in cPanel, which can be exploited by malicious users to disclose potentially sensitive information.
... vulnerability is reported in versions prior to 11.40.1.7, 11.40.0.31, 11.38.2.15, and 11.36.2.12.
Solution: Update to version 11.40.1.7, 11.40.0.31, 11.38.2.15, or 11.36.2.12 or later.
Original Advisory: TSR 2013-0012:
http://cpanel.net/ts...ull-disclosure/
http://cpanel.net/ts...2-announcement/
"... changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels of Important..."

- http://www.securityt....com/id/1029531
Dec 24 2013
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 11.36.2.12, 11.38.2.15, 11.40.0.31, 11.40.1.7
Solution: The vendor has issued a fix (11.36.2.12, 11.38.2.15, 11.40.0.31, 11.40.1.7).
The vendor's advisory is available at:
http://cpanel.net/ts...ull-disclosure/
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 07 February 2014 - 12:02 PM

FYI...

cPanel Multiple Vulnerabilities
- https://secunia.com/advisories/56719/
Release Date: 2014-02-07
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, System access
Solution Status: Vendor Patch
Software: cPanel 11.x
... weakness, multiple security issues, and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to gain escalated privileges and by malicious users to conduct script insertion attacks, bypass certain security restrictions, disclose certain sensitive information, manipulate certain data, and compromise a vulnerable system.
Solution: Update to version 11.38.2.16, 11.40.1.10, or 11.42.0.4.
Original Advisory:
cPanel (TSR-2014-0001):
http://cpanel.net/ts...announcement-2/
http://cpanel.net/ts...l-disclosure-1/
Rack911:
https://blog.rack911...lity-r911-0123/
https://blog.rack911...lity-r911-0124/
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 01 April 2014 - 11:05 AM

FYI...

cPanel updates - TSR 2014-0003
- https://secunia.com/advisories/57576/
Release Date: 2014-04-01
Criticality: Moderately Critical
Where: From remote
Impact: Cross Site Scripting, Spoofing, Manipulation of data, Security Bypass, Exposure of sensitive information, System access ...
Two weaknesses, a security issue, and multiple vulnerabilities have been reported in cPanel...
cPanel TSR 2014-0003
Original Advisory:
- http://cpanel.net/cp...ull-disclosure/
"... issue is resolved in the following builds: 11.42.0.23, 11.40.1.13, 11.38.2.23 ..."
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 26 May 2014 - 09:00 AM

FYI...

cPanel updates released ...
- https://secunia.com/advisories/58717/
Release Date: 2014-05-26
Criticality: Moderately Critical
Where: From remote
Impact: Unknown
Solution Status: Vendor Patch
Software: cPanel 11.x
... vulnerabilities are reported in versions prior to 11.43.0.12, 11.42.1.16, and 11.40.1.14.
Solution:
Update to version 11.43.0.12, 11.42.1.16, or 11.40.1.14.
Original Advisory: cPanel:
- http://cpanel.net/cp...4-announcement/
May 19, 2014
___

- http://www.securityt....com/id/1030287
CVE Reference: https://web.nvd.nist...d=CVE-2002-1575 - 5.0
May 27 2014
Impact: Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 11.40.1.14, 11.42.1.16, 11.43.0.12 ...
Solution: The vendor has issued a fix (11.40.1.14, 11.42.1.16, 11.43.0.12).
The vendor's advisory is available at:
- http://cpanel.net/cp...ull-disclosure/
May 26, 2014 - "... issue is resolved in the following builds: 11.43.0.12, 11.42.1.16, 11.40.1.14..."
 

:ph34r:


Edited by AplusWebMaster, 27 May 2014 - 05:23 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 25 July 2014 - 07:53 AM

FYI...

cPanel TSR-2014-0005 ...
- http://cpanel.net/cp...5-announcement/
July 21, 2014 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from Minor to Important... If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience... The following cPanel & WHM versions address all known vulnerabilities:
* 11.44.1.5 & Greater
* 11.44.0.29 & Greater
* 11.42.1.23 & Greater
* 11.40.1.18 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at - http://httpupdate.cpanel.net
... This Targeted Security Release addresses -22- vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40..."
___

cPanel TSR-2014-0005 Full Disclosure
- http://cpanel.net/cp...ull-disclosure/
July 28, 2014
Summary: Limited SQL injection vulnerability in LeechProtect.
Security Rating: cPanel has assigned a Security Level of Minor to this vulnerability...
Solution: This issue is resolved in the following builds:
11.44.1.5
11.44.0.29
11.42.1.23
11.40.1.18 ...
 

:ph34r:


Edited by AplusWebMaster, 28 July 2014 - 02:33 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 07 August 2014 - 10:54 AM

FYI...

cPanel TSR-2014-0006
- http://cpanel.net/cp...-tsr-2014-0006/
Aug 4, 2014 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels of Moderate.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
* 11.44.1.11 & Greater
* 11.42.1.25 & Greater
* 11.40.1.20 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net
___

cPanel TSR-2014-0006 Full Disclosure
- http://cpanel.net/cp...ull-disclosure/
Aug 11, 2014 - "Summary: Bypass of account suspension via mod_userdir.
Security Rating: cPanel has assigned a Security Level of Moderate to this vulnerability.
Description: The fix for case 101677 in TSR-2014-0005 introduced a regression in account suspensions that allowed the web content of a suspended account to be viewed normally via Apache userdir style URLs. This has been corrected so that both NameVirtualHost and userdir access to the suspended account’s web content is blocked...
This issue is resolved in the following builds:
11.44.1.11
11.42.1.25
11.40.1.20 ..."
 

:ph34r:


Edited by AplusWebMaster, 11 August 2014 - 04:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 18 March 2015 - 08:47 AM

FYI...

cPanel 11.44.3.1, 11.46.3.1, 11.48.1.3 released
- http://cpanel.net/cp...2-announcement/
March 16, 2015
"... The following cPanel & WHM versions address all known vulnerabilities:
* 11.48.1.3 & Greater
* 11.46.3.1 & Greater
* 11.44.3.1 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
... The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 14 vulnerabilities in cPanel & WHM software versions 11.48, 11.46, and 11.44. Additional information is scheduled for release on March 17th, 2015."

Change Log
- https://documentatio...1.48 Change Log
Mar 17, 2015
- https://documentatio...1.46 Change Log

- https://documentatio...1.44 Change Log

- https://secunia.com/advisories/63468/
2015-03-17
... Some vulnerabilities with an unknown impact has been reported in cPanel.
The vulnerabilities are caused due to an unspecified error. No further information is currently available.
The vulnerabilities are reported in versions prior to 11.44.3.1, 11.46.3.1, and 11.48.1.3.
Solution:
Update to version 11.44.3.1, 11.46.3.1, or 11.48.1.3.
Original Advisory:
TSR-2015-0002: http://cpanel.net/cp...2-announcement/
 

:ph34r:


Edited by AplusWebMaster, 18 March 2015 - 08:18 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 19 May 2015 - 06:56 AM

FYI...

cPanel TSR-2015-0003 Announcement
- http://news.cpanel.c...3-announcement/
May 18, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 4.0.
Information on cPanel’s security ratings is available at:
- http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
11.48.4.4 & Greater
11.46.3.6 & Greater
11.44.3.5 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:

- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time... Additional information is scheduled for release on May 19th, 2015."

- http://news.cpanel.c...nnouncement.txt
___

cPanel TSR-2015-0003 Full Disclosure
- http://news.cpanel.c...ull-disclosure/
May 19, 2015 - "... Summary: Access restrictions on mail routing information not properly enforced..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 19 May 2015 - 04:37 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 06 July 2015 - 01:16 PM

FYI...

cPanel 11.50 released
- http://news.cpanel.c...n-release-tier/
June 15, 2015

Change Log: https://documentatio...1.50 Change Log
... last modified on Jun 29, 2015

For cPanel & WHM version 11.50
> https://documentatio...tallation Guide

- https://documentatio...?pageId=1507796
last modified Jul 02, 2015

> http://httpupdate.cpanel.net/
 

:ph34r: :ph34r: ... Late


Edited by AplusWebMaster, 06 July 2015 - 01:31 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 27 July 2015 - 07:42 AM

FYI...

cPanel TSR-2015-0004
- http://news.cpanel.c...4-announcement/
July 20, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system... If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations..."

> http://news.cpanel.c...sclosure-delay/
July 21, 2015 - "Due to networking problems with cPanel’s mirrors, many cPanel & WHM systems did not auto-update for TSR-2015-0004. cPanel is delaying the release of vulnerability details for an additional 24 hours to allow these systems time to update..."

- http://news.cpanel.c...ull-disclosure/
July 22, 2015 - "Summary: Feature requirements not enforced correctly by adminbins...
Description: Several adminbin scripts did not properly verify the features enabled for the cPanel account running the adminbin script. This allowed cPanel users to perform some configuration functions that were disabled for the account...
Solution: This issue is resolved in the following builds:
11.50.0.27
11.48.4.6
11.46.3.8...

> http://news.cpanel.c...egory/security/
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 26 September 2015 - 01:20 PM

FYI...

cPanel TSR-2015-0005
- http://news.cpanel.c...nnouncement.txt
Sep 21, 2015 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 6.0.
Information on cPanel's security ratings is available at:
- http://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
    11.50.1.3 & Greater
    11.50.0.31 & Greater
    11.48.4.7 & Greater
    11.46.3.9 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION:

The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses eight vulnerabilities in cPanel & WHM software versions 11.50, 11.48, and 11.46.
Additional information is scheduled for release on September 22, 2015..."
___

cPanel TSR-2015-0005 Full Disclosure
- http://news.cpanel.c...ull-disclosure/
Sep 22, 2015

Summary: Open redirect via /unprotected/redirect.html.

 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 06 October 2015 - 03:37 PM

FYI...

Notice: 11.46 to EOL in 1 Month

- http://news.cpanel.c...eol-in-1-month/
Oct 6, 2015 - "cPanel & WHM 11.46 is set to reach End of Life at the end of October 2015.
In accordance with our EOL policy http://go.cpanel.net/longtermsupport, 11.46 will continue functioning on servers. However, no further updates, such as security fixes and installations, will be provided for 11.46 after it reaches EOL. We recommend that all customers migrate any existing installations of cPanel & WHM 11.46 to a newer version (either 11.48 or 11.50)..."

> https://documentatio...sesofcPanel
11.46    October 2014    October 2015

Change Logs:
- https://documentatio...ALD/Change Logs
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 07 October 2015 - 12:42 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 09 December 2015 - 10:17 AM

FYI...

11.48 to EOL in 2 Months
- http://news.cpanel.c...ol-in-2-months/
Dec 7, 2015 - "cPanel & WHM 11.48 is set to reach End of Life at the end of January 2016. In accordance with our EOL policy*, 11.48 will continue functioning on servers. However, no further updates, such as security fixes and installations, will be provided for 11.48 after it reaches EOL. We recommend that all customers migrate any existing installations of cPanel & WHM 11.48 to a newer version (either 11.50 or 11.52)..."
* https://documentatio...?pageId=1507947
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 05 January 2016 - 12:28 PM

FYI...

cPanel & WHM 54
- https://news.cpanel....n-current-tier/
Jan 4, 2016 - "cPanel, Inc. has released cPanel & WHM software version 54, which is now available in the CURRENT tier. In a departure from our usual version number, we’ve dropped the “11” from cPanel & WHM releases. This change provides increased clarity for our partners and users while more accurately reflecting the product’s progression..."

54 Release Notes
- https://documentatio...4 Release Notes
Jan 05, 2016

Change Logs
- https://documentatio...D/54 Change Log

> http://httpupdate.cpanel.net/
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 19 January 2016 - 10:17 AM

FYI...

cPanel TSR-2016-0001 Announcement
- https://news.cpanel....1-announcement/
2016-01-18 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system... The following cPanel & WHM versions address all known vulnerabilities:
11.54.0.4 & Greater
11.52.2.4 & Greater
11.50.4.3 & Greater
11.48.5.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net "

> https://securedownloads.cpanel.net/
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 26 January 2016 - 09:33 PM

FYI...

cPanel TSR-2016-0001 Full Disclosure
- https://news.cpanel....ull-disclosure/
Jan 26, 2016
(Full list at the URL above.)

> https://news.cpanel....-Disclosure.txt
___

>> https://news.cpanel....egory/security/

Important Information for Manage2 Users
- https://news.cpanel....-manage2-users/
Jan 23, 2016 - "... one of our user databases may have been breached. Although we successfully interrupted the breach, it is still possible that user contact information may have been susceptible. The customer contact information that may have been susceptible is limited to names, contact information, and encrypted (and salted) passwords. Please note that our credit card information is stored in a separate system designed for credit card storage and is not impacted by this possible breach. Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords. It is important to highlight that this incident was not related to cPanel products or the Targeted Security Release published on January 18th. We apologize for any inconvenience this may cause.
Please go to the Manage2 login page and click the forgot password link*. Please don’t hesitate to contact cPanel Customer Service if you need help resetting your password...
PGP Signed version of this document here:
- https://news.cpanel....unication-1.txt "

Important Information for cPanel Store Users
- https://news.cpanel....el-store-users/
Jan 23, 2016 - "... Please go to the cPanel Store login page** and click the forgot password link..."

* https://manage2.cpanel.net/

** https://store.cpanel.net/login/
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 26 January 2016 - 10:07 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 17 February 2016 - 03:29 PM

FYI...

cPanel Security Team: glibc CVE-2015-7547
- https://news.cpanel....-cve-2015-7547/
Feb 17, 2016 - "CVE-2015-7547 is a critical vulnerability in glibc affecting any versions greater than 2.9. The DNS client side resolver function getaddrinfo() used in the glibc library is vulnerable to a stack-based buffer overflow attack. This can be exploited in a variety of scenarios, including man-in-the-middle attacks, maliciously crafted domain names, and malicious DNS servers.
What does this mean for cPanel servers?
The glibc library is provided by your operating system vendor, which is one of Red Hat, CentOS, or Cloud Linux. All supported distros have published patched versions of glibc to their mirrors to address CVE-2015-7547.
To update any affected servers, do the following:
1. Log into your server via SSH with root privileges
2. Run “yum clean all” to clear YUM’s local caches
3. Run “yum update” to install the patched version of glibc
4. After glibc is updated you should reboot the system to ensure all daemons load the newer version of the library.
You can ensure you are updated by running the command “rpm -q glibc”. The package information displayed should match the version numbers provided by Red Hat at:
- https://access.redha...rticles/2161461
Red Hat Enterprise Linux 7 – glibc-2.17-106.el7_2.4
Red Hat Enterprise Linux 6 – glibc-2.12-1.166.el6_7.7
Notifications about security updates for Red Hat, CentOS, and CloudLinux can be found at the following URLs:
Red Hat: http://www.redhat.co...o/rhsa-announce
CentOS: http://lists.centos....centos-announce
CloudLinux: http://cloudlinux.com/blog/
What steps do I need to take as an Admin/root of our servers running cPanel & WHM?
Once the RPM of glibc has been updated and the system rebooted, you are fully protected.
cPanel also recommends that you configure the system to automatically update both the base operating system and the cPanel & WHM software automatically. These settings are located in WHM’s “Update Preferences” interface.
For the PGP-Signed version of this announcement please see:
- http://news.cpanel.c...libc_notice.txt
___

- https://www.us-cert....c-Vulnerability
Feb 17, 2016
___

> https://web.nvd.nist...d=CVE-2015-75478.1 High
Last revised: 02/19/2016

- https://isc.sans.edu...l?storyid=20737
2016-02-16 - "... The exploit will likely trigger a DNS lookup from a vulnerable system..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 22 February 2016 - 08:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 02 March 2016 - 10:20 PM

FYI...

cPanel Security Team: exim CVE-2016-1531
- https://news.cpanel....-cve-2016-1531/
March 2, 2016
"Background Information: On Wednesday, March 2, 2016, Exim announced a vulnerability in all versions of the Exim software.
Impact: According to Exim development: “All installations having Exim set-uid root and using ‘perl_startup’ are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (this is normally *any* user) can gain root privileges.”
Releases: The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM, including 11.48.x and below, are vulnerable to a set-uid attack on Exim.
11.50 11.50.5.0
11.52 11.52.4.0
11.54 11.54.0.18
EDGE 11.55.9999.106
CURRENT 11.54.0.18
RELEASE 11.54.0.18
STABLE 11.54.0.18
How to determine if your server is up to date: The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:
rpm -q –changelog exim | grep CVE-2016-1531
The output should resemble below:
– – Fixes CVE-2016-1531
What to do if you are not up to date: If your server is not running one of the above versions, update immediately. You can upgrade your server by navigating to WHM Home > cPanel > Upgrade to Latest Version and clicking “Click to Upgrade”: https://documentatio...ate Preferences "
(More detail at the cpanel URL at the top of this post.)
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 22 March 2016 - 05:01 PM

FYI...

cPanel TSR-2016-0002 Announcement
- https://news.cpanel....2-announcement/
March 21, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 8.5...
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
11.54.0.20 & Greater
11.52.4.1 & Greater
11.50.5.2 & Greater ...
The latest public releases of cPanel & WHM for all update tiers are available at
- http://httpupdate.cpanel.net "
___

cPanel TSR-2016-0002 Full Disclosure
- https://news.cpanel....ull-disclosure/
March 22, 2016
Description: Daemonized code is not fully detached from from its parent process. This allows an attacker to control a TTY they do not own...
Solution: This issue is resolved in the following builds:
11.54.0.20
11.52.4.1
11.50.5.2 ..."

Change Logs
> https://documentatio...ALD/Change Logs
___

- http://www.securityt....com/id/1035427
Mar 29 2016
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 11.50.5.2, 11.52.4.1, 11.54.0.20 ...
Solution: The vendor has issued a fix (11.50.5.2, 11.52.4.1, 11.54.0.20)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 31 March 2016 - 08:33 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 27 April 2016 - 10:04 AM

FYI...

cPanel & WHM 56
- https://news.cpanel....n-release-tier/
April 26, 2016 - "cPanel, Inc. has released cPanel & WHM software version 56, which is now available in the RELEASE tier*..."

* https://documentatio...-Term%20Support
___

- https://myonlinesecu...4-x-to-11-56-x/
April 26, 2016

>> https://forums.cpanel.net/
 

:ph34r:


Edited by AplusWebMaster, 29 April 2016 - 09:55 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 06 May 2016 - 07:51 AM

FYI...

cPanel Security Team – CVE-2016-3714 ImageMagick
- https://news.cpanel....14-imagemagick/
May 4, 2016 - "... ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software package commonly used by web services to process images.
Impact: One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE)..."
(Mitigation and more info at the URL above.)

> https://web.nvd.nist...d=CVE-2016-3714
Last revised: 05/06/2016
10.0 HIGH

- https://documentatio...714 ImageMagick

- https://www.us-cert....k-Vulnerability
Last revised: May 05, 2016
___

> https://blog.qualys....sday-may-2015-2
May 10, 2016 - "... a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 10 May 2016 - 12:48 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 16 May 2016 - 03:12 PM

FYI...

cPanel TSR-2016-0003
- https://news.cpanel....3-announcement/
May 16, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 7.6... If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
11.56.0.15 & Greater
11.54.0.24 & Greater
11.52.6.1 & Greater
11.50.6.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
http://httpupdate.cpanel.net
... Additional information is scheduled for release on May 17, 2016..."
___

cPanel TSR-2016-0003 Full Disclosure
- https://news.cpanel....ull-disclosure/
May 17, 2016
Summary: SQLite journal allowed for arbitrary file overwrite during Horde Restore.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 6.6 (AV:N/AC:H/Au:S/C:C/I:C/A:N)
Description: During a Horde restore using the old-style CSV data files, the SQLite database is opened as the user. However, actual writes were done as root, and SQLite does not open the journal file until these writes are made. This allowed the journal file to be opened as the root user permitting arbitrary files to be overwritten...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 17 May 2016 - 01:47 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 18 July 2016 - 04:45 PM

FYI...

cPanel TSR-2016-0004
- https://news.cpanel....4-announcement/
July 18, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 1.0 to 6.8...
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
11.58.0.4 & Greater
11.56.0.27 & Greater
11.54.0.26 & Greater
11.52.6.2 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION: The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses -7- vulnerabilities in cPanel & WHM software versions 11.58, 11.56, 11.54, and 11.52. Additional information is scheduled for release on July 19, 2016..."
___

cPanel TSR-2016-0004 Full Disclosure
- https://news.cpanel....ull-disclosure/
July 19, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 19 July 2016 - 03:02 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 23 August 2016 - 02:37 PM

FYI...

cPanel & WHM 58
- https://news.cpanel....in-stable-tier/
Aug 23, 2016 - "cPanel, Inc. has released cPanel & WHM software version 58, which is now available in the STABLE tier*..."
* https://documentatio...ng-Term Support
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 19 September 2016 - 03:22 PM

FYI...

cPanel TSR-2016-0005 Announcement
- https://news.cpanel....5-announcement/
Sep 19, 2016 - cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 4.3 to 6.3.
Information on cPanel’s security ratings is available at
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
11.58.0.29 & Greater
11.56.0.34 & Greater
11.54.0.29 & Greater
11.52.6.6 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net
Additional information is scheduled for release on September 20, 2016.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:

- https://go.cpanel.net/versionformat
___

cPanel TSR-2016-0005 Full Disclosure
- https://news.cpanel....ull-disclosure/
Sep 20, 2016 - "SEC-141 - Summary:
Code execution as other accounts via mailman list archives.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Description: The sticky-group bit applied to mailman’s list archive directories allowed list owners to modify the contents of these directories. This could be used to execute arbitrary code as other accounts on the system...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6
SEC-152 - Summary:
Arbitrary code execution due to faulty shebang in Mail::SPF scripts.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
Description: The scripts provided with the Mail::SPF Perl module in cPanel & WHM used /usr/bin/perl rather than /usr/local/cpanel/3rdparty/bin/perl as their interpreter. If executed in an unsafe directory, this could cause untrusted code to load and execute...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6
SEC-154 - Summary:
Arbitrary file read due to multipart form processing error.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N)
Description: The Cpanel::Form::parseform() function was found to mishandle some invalid combinations of multipart form data in ways that allowed the reading of arbitrary files in several WHM interfaces...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6
SEC-156 - Summary:
Stored XSS Vulnerability in WHM tail_upcp2.cgi interface.
Security Rating: cPanel has assigned this vulnerability a CVSSv2 score of 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description: The tail_upcp2.cgi script displays the log output of the cPanel & WHM update process. The output includes portions of log files that contain untrusted data. In some cases, this untrusted output was not properly escaped...
Solution: This issue is resolved in the following builds:
11.58.0.29
11.56.0.34
11.54.0.29
11.52.6.6 ..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 20 September 2016 - 02:56 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 31 October 2016 - 12:50 PM

FYI...

cPanel & WHM Version 11.52 Now End of Life...
Version 54 at the End of Jan. 2017
- https://news.cpanel....nd-of-jan-2017/
Oct 31, 2016 - "cPanel version 11.52 reached End of Life September 30th, 2016. In accordance with our EOL policy
( https://go.cpanel.com/longtermsupport) 11.52 will continue functioning on servers where it is already installed. The last release of cPanel & WHM 11.52, 11.52.6.6, will remain on our mirrors indefinitely. However, no further updates, such as security fixes and installations, will be provided for 11.52. Older releases of cPanel & WHM 11.52 will be removed from our mirrors.
cPanel & WHM version 54 will reach End of Life at the end of January, 2017. In accordance with our EOL policy ( https://go.cpanel.com/longtermsupport), 54 will continue functioning on servers where it is already installed. However, no further updates, such as security fixes and installations, will be provided for 54 after it reaches EOL.
We recommend that all customers migrate any existing installations of cPanel & WHM 54 to version 60, which you can read more about at the cPanel release site https://releases.cpanel.com
If your server setup complicates the process of migrating to a newer version of cPanel & WHM (an upgrade blocker list is available at https://go.cpanel.com/blockers), then cPanel is here to help. Simply open a support ticket at https://tickets.cpanel.net/submit so that our knowledgeable support team can provide recommendations, migration assistance, and more."
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 22 November 2016 - 08:18 AM

FYI...

cPanel TSR-2016-0006 Announcement
- https://news.cpanel....6-announcement/
Nov 21, 2016 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having CVSSv2 scores ranging from 1.7 to 7.1.
Information on cPanel’s security ratings is available at:
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience...
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
11.60.0.25 & Greater
11.58.0.37 & Greater
11.56.0.39 & Greater
11.54.0.33 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION:
The cPanel security team identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 26 vulnerabilities in cPanel & WHM software versions 11.60, 11.58, 11.56, and 11.54. Additional information is scheduled for release on November 22, 2016..."
___

cPanel TSR-2016-0006 Full Disclosure
- https://news.cpanel....ull-disclosure/
Nov 22, 2016
- https://news.cpanel.....disclosure.txt
 

:ph34r:


Edited by AplusWebMaster, 22 November 2016 - 04:05 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 16 January 2017 - 10:41 PM

FYI...

cPanel TSR-2017-0001
- https://news.cpanel....1-announcement/
Jan 16, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from 2.1 to 6.8.
Information on cPanel’s security ratings is available at https://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
62.0.4 & Greater
60.0.35 & Greater
58.0.43 & Greater
56.0.43 & Greater
54.0.36 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 17 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, 11.56, and 11.54.
Additional information is scheduled for release on January 17, 2017..."
___

TSR-2017-0001 Full Disclosure
- https://news.cpanel....ull-disclosure/
Jan 17, 2017 - "SEC-196 - SEC-216
Solution: ... resolved in the following builds:
60.0.35
58.0.43
56.0.43
54.0.36 ..."
 

:ph34r:


Edited by AplusWebMaster, 17 January 2017 - 03:19 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 20 March 2017 - 04:05 PM

FYI...

cPanel TSR-2017-0002 Announcement
- https://news.cpanel....2-announcement/
March 20, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.4 to 8.8. Information on cPanel’s security ratings is available at:
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES:
The following cPanel & WHM versions address all known vulnerabilities:
11.62.0.17 & Greater
11.60.0.39 & Greater
11.58.0.45 & Greater
11.56.0.46 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at:
- http://httpupdate.cpanel.net
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 15 vulnerabilities in cPanel & WHM software versions 11.62, 11.60, 11.58, and 11.56.
Additional information is scheduled for release on March 21, 2017.
For information on cPanel & WHM Versions and the Release Process, read our documentation at:
- https://go.cpanel.net/versionformat "
___

cPanel TSR-2017-0002 Full Disclosure
- https://news.cpanel....ull-disclosure/
March 21, 2017
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 21 March 2017 - 05:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 15 May 2017 - 04:47 PM

FYI...

cPanel TSR-2017-0003 Announcement
- https://news.cpanel....3-announcement/
May 15, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 8.8. Information on cPanel’s security ratings is available at:
- https://go.cpanel.net/securitylevels
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
64.0.21 & Greater
62.0.24 & Greater
60.0.43 & Greater
58.0.49 & Greater
56.0.49 & Greater ...
cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 24 vulnerabilities in cPanel & WHM software versions 64, 62, 60, 58, and 56. Additional information is scheduled for release on May 16, 2017..."
___

cPanel TSR-2017-0003 Disclosure Delay
- https://news.cpanel....sclosure-delay/
May 16, 2017 - "We are delaying the cPanel TSR-2017-0003 Disclosure for an additional 24 hours. The Disclosure will now be published May 17, 2017."
___

cPanel TSR-2017-0003 Full Disclosure
- https://news.cpanel....ull-disclosure/
May 17, 2017
 

:ninja: :ninja:


Edited by AplusWebMaster, 18 May 2017 - 05:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,862 posts

Posted 17 July 2017 - 02:51 PM

FYI...

cPanel TSR-2017-0004
- https://news.cpanel....4-announcement/
July 17, 2017 - "cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from 2.2 to 5.0...
RELEASES: The following cPanel & WHM versions address all known vulnerabilities:
66.0.2 & Greater
64.0.33 & Greater
62.0.27 & Greater
60.0.45 & Greater
58.0.52 & Greater
56.0.51 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.
SECURITY ISSUE INFORMATION: The cPanel Security Team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses -18- vulnerabilities in cPanel & WHM software versions 66, 64, 62, 60, 58, and 56.
Additional information is scheduled for release on July 18, 2017."
___

- https://news.cpanel....ull-disclosure/
July 18, 2017
 

:ninja: :ninja:


Edited by AplusWebMaster, 18 July 2017 - 08:11 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!