(May 15) Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having [More…]
Comment
(May 15) Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical [More…]
TSR-2014-0004
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having security impact levels ranging from Minor to Important.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
* 11.43.0.12 & Greater
* 11.42.1.16 & Greater
* 11.40.1.14 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 52 vulnerabilities in cPanel & WHM software versions 11.44, 11.42, and 11.40.
Additional information is scheduled for release on May 26th, 2014.
For information on cPanel & WHM Versions and the Release Process, read our documentation at: http://go.cpanel.net/versionformat
For the PGP-signed message, see http://cpanel.net/wp-content/uploads/2014/05/TSR-2014-0004-Accouncement.txt
If you would like to sign up for Security notices, please go to https://cpanel.net/mailing-lists.
The popular is.gd URL shortening service has been offline for more than two days, taking with it more than a billion shortened URLs. Shortly before the site disappeared on Sunday, the homepage reported that its links have been accessed nearly 50 billion times.
The shortened links generated are usually not more than 18 characters long, including the protocol http://. These links are commonly used in tweets, emails, and text messages where long URLs are impractical. Despite the fact the shortened links do not work, many previously-created is.gd shortened URLs are still appearing on Twitter.
is.gd is owned by and supported by UK hosting provider Memset, who planned to support it as a free service indefinitely. Notably, its sister site, v.gd, is still up and running. Other free services provided by Memset include TweetDownload, TweetDelete and the statistics calculator Tweetails.
For security reasons, both is.gd and v.gd disallow the shortening of URLs which use the data: and javascript: protocols. Nevertheless, the service is still abused by fraudsters who use the shortened URLs to direct victims to phishing sites. Some fraudsters have appended a query string to the shortened URL in an attempt to make it look similar to those used by the phishing target. For example, the following is.gd URL was used to redirect victims to a Taobao phishing site:
http://is.gd/Tb<span style="background: black;">###</span>U?2.taobao.com/item.htm?spm=2007.1000337
Throughout April, is.gd was the fifth phishiest URL shortening service. By far the phishiest was tinyurl.com, which pointed to 17 times as many phishing sites, making it account for 60% of all phishing activity amongst the top five URL shortening services. Privately-held bit.ly, Google’s goo.gl and GoDaddy’s x.co also pointed to more phishing sites than is.gd.
Three years ago, the is.gd service suffered a shorter outage of a few hours. This was caused by the failure of some of the virtual machines in its frontend cloud, which were responsible for accepting HTTP requests from a load balancer.
(May 19) Security Report Summary