(Jun 26) It was discovered that puppet, a centralized configuration management system, did not correctly handle YAML payloads. A remote attacker could use a specially-crafted payload to execute arbitrary code on the puppet master. [More…]
(Jun 26) Multiple security issues have been found in Iceweasel, Debian’s version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-free vulnerabilities, missing permission checks, incorrect memory handling and other implementaton errors may lead to the execution [More…]
(Jun 26) Several security issues were fixed in Thunderbird.
(Jun 25) Updated curl packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More…]
Important: cPanel Security Disclosure TSR-2013-0007
The following disclosure covers the Targeted Security Release 2013-06-26.
Each vulnerability is assigned an internal case number which is reflected below.
Information regarding the cPanel Security Level rankings can be found here:http://go.cpanel.net/securitylevels
Case 71193
Summary
Local cPanel users are able to take over ownership of any file or directory on the system.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. During the preparatory steps for archiving, Cpanel::Logs::prep_logs_path performs a variety of checks to ensure a proper operating environment exists. A number of these checks are performed by a root-privileged process on files and directories in a user’s home directory. A malicious user could take advantage of this behavior to take ownership of important files on the same file system as his home directory.
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
Case 71109
Summary
Local cPanel users are able to take over ownership of any file or directory on the system.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability.
Description
The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. When cpanellogd creates these archives, some operations are performed by a root-privileged process in the user’s home directory. Through the use of a carefully crafted hard link a malicious user could take advantage of this behavior to take ownership of any file on the same file system as his home directory.
This issue was discovered by the cPanel Security Team.
Solution
This issue is resolved in the following builds:
* 11.38.1.4 and greater
* 11.38.0.19 and greater
* 11.36.1.9 and greater
* 11.34.1.17 and greater
* 11.32.6.8 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.
For the PGP Signed Message, Please go here.
50 queries. 8.75 mb Memory usage. 0.309 seconds.