Case 69513 Summary World writable Logaholic directories allowed arbitrary code execution in varied contexts. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description Multiple directories within /usr/local/cpanel/base/3rdparty/Logaholic were set world writable by default with permissions of 777. These directories contained, among other items, the global …
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from …
10/10/2013 Houston, TX – As previously announced in our cPanel & WHM 11.40 Webinar and at cPanel Conference 2013, cPanel, Inc. is thrilled to release cPanel & WHM software version 11.40, which is now available in the CURRENT tier. cPanel & WHM version 11.40 offers support for IPv6 and 1:1 …
SUMMARY Three CVEs were reported for WordPress 3.6 and WordPress has released an upgraded version to address theses vulnerabilities. cPanel has updated the WordPress version delivered via the cPAddons functionality in WHM to the new version of 3.6.1. AFFECTED VERSIONS All versions of WordPress 3.6.0 and below. SECURITY RATING US-CERT/NIST …
TSR-2013-0009 Detailed Disclosure The following disclosure covers Targeted Security Release TSR-2013-0009, that was published on August 27th, 2013. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels Case 73377 Summary An account’s cpmove archives were …
TSR-2013-0009 Announcement cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels …
SUMMARY The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in the OpenSSL module and a compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 …
SUMMARY The PHP development team has announced the immediate availability of PHP 5.5.2. This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache …
SUMMARY The PHP development team announces the immediate availability of PHP 5.4.18. About 30 bugs were fixed, including security issues CVE-2013-4113 and CVE-2013-4248. All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.5 with this updated version of PHP 5.4.18 to address this issue. …
cPanel & WHM 11.32 reaches End of Life in August, 2013. That means there is less than one month left in the life cycle. In accordance with our [End of Life Policy](“http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport“) cPanel & WHM 11.32 will continue functioning on servers after reaching End of Life. No further updates, including …
SUMMARY The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s. Apache HTTP Server 2.2.25 CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to …
SUMMARY Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash. SECURITY RATING The cPanel Security Team has rated this update has having moderate security impact. Information on security ratings is available at: http://go.cpanel.net/securitylevels. DETAIL CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and …
The following disclosure covers the TSR-2013-008, the Targeted Security Release published on July 15th, 2013. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels Case 71121 Summary The Squirrelmail Webmail session file contained plain text …
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from …
July 9, 2013 Houston, TX- cPanel, Inc announces the release of EasyApache 3.20 The 3.20 release of EasyApache brings a number of improvements to the cPanel & WHM hosting platform. Notable among these is Tomcat 7, the modern means of providing Java web applications. Tomcat 7 provides a Tomcat Administrator …
Important: cPanel Security Disclosure TSR-2013-0007 The following disclosure covers the Targeted Security Release 2013-06-26. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here:http://go.cpanel.net/securitylevels Case 71193 Summary Local cPanel users are able to take over ownership of …
6/24/2013 Houston, TX- Anticipated this week, June 24th, 2013, 11.39 will be pushed to the EDGE tier. This new build includes the following changes and updates to cPanel & WHM software: -Added support for using cPanel & WHM in a 1:1 NAT environment -Dovecot is upgraded to version 2.2 and …
6/18/2013 Houston, TX- cPanel, Inc. announces the impending release of cPanel & WHM software version 11.38. cPanel & WHM software release 11.38, is anticipated to move to the STABLE tier the week of June 24, 2013. This release offers significant improvements to SSL Management and Backups. It also provides enhancements …
6/10/2013 Houston, TX- cPanel, Inc. announces the release of cPanel & WHM software version 11.38. cPanel & WHM software release 11.38, which goes to the RELEASE tier today, offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more. Improved SSL …
cPanel, Inc. has published a security update for cPanel & WHM versions 11.38, 11.36, 11.34, and 11.32. This update resolves an issue with unchecked reseller privileges. We recommend all customers update to the latest build of each version as soon as possible. The cPanel Security Team has assigned a rating …
5/7/2013 Houston, TX- cPanel, Inc. announces the release of cPanel & WHM software version 11.38. cPanel & WHM software release 11.38, which releases to the CURRENT tier today, offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more. Improved SSL …
cPanel & WHM 11.34 reaches End Of Life October 15, 2013. That means there are only 6 months left in the life cycle. In accordance with our End of Life Policy [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport], cPanel & WHM software release 11.34 will continue functioning on servers after reaching end of life. No further …
April 8, 2013 Houston, TX- cPanel Inc., announces the release of cPanel & WHM software version 11.36 to the STABLE tier. Included in this brand new software release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation …
Over the last few months, the Platform team of maintainers and developers have been talking about future directions. One of our goals for this year is to introduce namespacing. This has been a very large undertaking and as work has progressed, it became obvious that backward compatibility was going to be a constant battle. One of the negative side-effects of this would be that the Joomla CMS wouldn’t be able to use the planned 13.1 release of the Platform for some time if we introduced namespacing in that version.
After a lot of discussion both internally and with other developers in the community, in order to address the problem, as well as to take advantage of some new opportunities, we’ve decided to make some changes to the Platform.
cPanel has published security updates for all supported versions of cPanel & WHM. These updates contain fixes for a problem with the Roundcube webmail application. We recommend all customers update to the latest build of each version as soon as possible. The cPanel Security Team has assigned a rating of …
As part of the normal budgeting process, the Production Leadership Team has come up with six goals for 2013. Those goals concern releases of the Joomla Platform and the Joomla CMS, continuing maintenance updates, and outreach and promotion to a technical audience.
Our goal is to release at least three new versions of the Joomla Platform in 2013. The timing of releases is not exact and only used for the benefit of planning. As such, we anticipate the following releases this year.
The following sub-goals are also envisioned for the Joomla Platform.
The release strategy for the Joomla Platform differs a little from the CMS because we generally consider work within a “year” as opposed to work within a particular “version”. However, the system is a little ad hoc and we’d like to bring some clarity to releasing the Joomla Platform. In addition, we aim to ratify the deprecation policy.
We aim to look at tools that can be used to assist people working collaboratively on features within the Joomla Platform, and also help people work out what they can do, be that in the area of development, documentation or even general administrative maintenance. Possible outcomes could include a better policy by which we use Joomla Platform’s issue tracker on Github, or looking at other tools like Jira.
We aim, this year, to introduce namespacing to the Joomla Platform and to bring the core source tree in compliance with PSR-1. Doing so will allow the Joomla Platform to be integrated with other PHP projects and give developers using the Joomla Platform more options.
We want to challenge the Joomla development community to raise our code quality and, this year, to ensure that all packages in the core platform have no less than 50% code coverage (lines of code).
We want to encourage the Joomla development community to add complete documentation for at least five package that currently do not have documentation.
We will release new versions of the Joomla CMS according to this schedule:
We will use PLT summits to discuss issues regarding the releases, supplemented by virtual meetings. We will examine and discuss ideas from the Joomla Ideas Pool, the Joomla Feature Patch Tracker and other sources. We will use these to announce visions or themes for CMS releases.
To accomplish this, we need volunteer developers, documenters, and translators. We will facilitate Pizza, Bugs and Fun (PBF) events, code and documentation sprints, working group meetings, Student programmes, Roadmap Sessions and other such events.
The following sub-goals are also envisioned for the Joomla CMS.
We want to challenge the Joomla development community to raise our code quality and, this year, to ensure that the CMS libraries (the code found under /libraries/cms) have no less than 30% code coverage (lines of code).
In addition to unit testing the CMS libraries, unit test coverage should be expanded to other areas of the code, with a future goal of all PHP classes being testable. Prime candidates for unit testing would be the classes in the various /includes folders (application classes) and the FinderIndexer classes (administrator/components/com_finder/helpers/indexer).
Presently, the CMS is only enforcing a small subset of the Joomla Coding Standard, and excludes numerous files from being scanned for the various rules. Developers are encouraged to assist in bringing all files in compliance with the Joomla Coding Standards. This recognizes that the Joomla Coding Standard has different rules for alternate syntax in layout files.
The Joomla! CMS has numerous automated testing tools to assist in maintaining a high quality of code, however, patches to the CMS are not tested for compliance with these tests prior to being merged into the code base. Determine a method to enforce automated test compliance (unit and system testing, code standard compliance) without making the user contribution process more difficult.
While the fun part is new features and releases, a major part of our responsibility is to the existing releases. Normal maintenance releases of an existing long term support release will be made until 3 months after the general availability of the next long term support release. Ongoing support of the short term releases continues until a month after a superseding release. The number, timing, and nature of the maintenance releases depends on the circumstances.
The Joomla Bug Squad and the Joomla Security Strike Team are the main volunteers spearheading this effort.
The PLT aims to expand its outreach and promotion of Joomla to technical audiences, both those within and outside the Joomla project. We will do this by attending technical conferences and events, and speaking about current and future development within the project.
Members of the Joomla community will be invited to speak about and promote Joomla at events worldwide.
The Google Summer of Code program 2012 edition was very sucessful with several contributions to the Joomla Project (see http://conference.joomla.org/speakers/sessions/session/session/83-joomla-and-google-summer-of-code-2012.html). This year the Joomla Project plans to maintain support of this initiative and encourages the community to actively participate in the program.
We will be asking the development community to help us review the developer.joomla.org site to ensure that information is up-to-date, relevent and accurate. Our aim is that when people have questions about Joomla development, there is an easily found link on developer.joomla.org that they can be directed to that answers their question, or at least directs them to a place where they can find answers.
To do this, we will need a team of volunteers to help identify areas of the site that are missing content and need content modified.
Support the production teams in implementing improvements in the language areas of the project (“multilingual” and “language packages”). See these examples from 2012:
In agreement with the Translation Team, dedicate resources on improving processes and tools to automate the creation of translation packages and uploading them to the Joomla Languages Server.
Projects like Facebook (http://www.insidefacebook.com/…), RememberTheMilk (http://www.rememberthemilk.com/…/) or other projects using https://www.transifex.com are taking advantage of their communities in order to localize their software. Joomla is being translated by its community into 64 languages but there is plenty of space for more languages and more community participation. At the same time many Joomla 3rd party developers are searching for a solution on how their communities can contribute in the translation of their extensions. It is a goal for 2013 to study and identify common needs between the Joomla project and 3rd party developers interested in joining efforts to plan a solution for increasing the international community involvement in the translation of software. Some tools already exist that can be improved:http://extensions.joomla.org/extensions/languages/language-edition/17755
Since transitioning from SVN to Git in late 2011, the PLT has recognized that there have been struggles with the contribution process, particularly towards the CMS. Much of this headache exists in the issue/feature tracking processes, which are not connected to GitHub at present. The PLT aims to improve this process in 2013 by investigating ways to improve the existing Joomlacode infrastructure or evaluating the potential of implementing a new tracking system which suits the project requirements and improves the native integration with GitHub.
Feedback, comments, and discussion on the 2013 production goals are welcome. In order to facilitate communication, we encourage users to respond with their feedback on this thread on the Joomla General Development mailing list – https://groups.google.com/d/topic/joomla-dev-general/6K-mnKwzC2E/discussion.
cPanel & WHM 11.32 reaches end of life August 20, 2013. That means there are only 5 months left in the life cycle. In accordance with our End of Life Policy cPanel & WHM 11.32 will continue functioning on servers after reaching end of life. No further updates, including security …
March 11, 2013 Houston, TX- cPanel Inc., announces the release of cPanel & WHM 11.36 to the RELEASE tier. Included in this brand new release are further improvements to the update system, building on work started with cPanel & WHM 11.30. A new staging step during installation allows a variety …
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having important security impact. Information on …
Following are the meeting notes from the Production Leadership Team meeting held in February 2013.
61 queries. 8.75 mb Memory usage. 1.439 seconds.