(Dec 16) Security Report Summary
Comment
Red Hat: 2013:1829-01: nss, nspr, and nss-util: Important Advisory
Dec17
on December 17, 2013
at 9:46 am
Posted In: Uncategorized
(Dec 12) Updated nss, nspr, and nss-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More…]
Red Hat: 2013:1801-01: kernel: Important Advisory
Dec17
on December 17, 2013
at 9:46 am
Posted In: Uncategorized
(Dec 12) Updated kernel packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More…]
cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.
cPanel has rated these updates as having security impact levels ranging from Minor to Important.
Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience.
RELEASES
The following cPanel & WHM versions address all known vulnerabilities:
* 11.40.1.3 & Greater
* 11.40.0.29 & Greater
* 11.38.2.13 & Greater
* 11.36.2.10 & Greater
The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net.
SECURITY ISSUE INFORMATION
The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 22 vulnerabilities in cPanel & WHM software versions 11.40, 11.38, and 11.36.
Additional information is scheduled for release on December 18, 2013.
For information on cPanel & WHM Versions and the Release Process, read our documentation at: http://go.cpanel.net/versionformat
For the PGP-signed message, see TSA-2013-0011.
SUMMARY
cPanel, Inc. has released EasyApache 3.22.25 with PHP versions 5.3.28, 5.4.23, and 5.5.7. This release addresses PHP vulnerabilities CVE-2013-4073 and CVE-2013-6420 by fixing bugs in the OpenSSL module. We encourage all PHP users to upgrade to PHP versions 5.3.28, 5.4.23, and 5.5.7.
AFFECTED VERSIONS
All versions of PHP 5.3 before 5.3.28.
All versions of PHP 5.4 before 5.4.23.
All versions of PHP 5.5 before 5.5.7.
SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2013-4073 – MEDIUM
PHP 5.3.28
Fixed bug in the OpenSSL module related to CVE-2013-4073.
CVE-2013-6420 – MEDIUM
PHP 5.3.28
Fixed bug in the OpenSSL module related to CVE-2013-6420.
PHP 5.4.23
Fixed bug in the OpenSSL module related to CVE-2013-6420.
PHP 5.5.7
Fixed bug in the OpenSSL module related to CVE-2013-6420.
SOLUTION
cPanel, Inc. has released EasyApache 3.22.25 with updated versions of PHP 5.3, 5.4, and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP.
REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4073
http://www.php.net/ChangeLog-5.php#5.3.28
For the PGP-signed message, see EA3-CVE-3-22-25-signed.