(May 15) An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More…]
Comment
(May 15) Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More…]
The following bugs have been fixed:
[-]Impossibility to execute API-RPC requests in Power User Mode when “Custom View Settings” is enabled.
[-]Impossibility to set autoresponder in case of Qmail MTA when there a lot of mail aliases for a mail name.
cPanel, Inc. has published a security update for cPanel & WHM versions 11.38, 11.36, 11.34, and 11.32. This update resolves an issue with unchecked reseller privileges. We recommend all customers update to the latest build of each version as soon as possible.
The cPanel Security Team has assigned a rating of Moderate to the vulnerability. Information on security ratings is available at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecurityLevels.
Using a handcrafted URL, a malicious reseller could cause WHM to overwrite files in root’s .ssh directory with a randomly generated private key. This could result in a denial of service attack if the key is being used.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.
Releases
The following versions of cPanel & WHM address all known vulnerabilities:
* 11.38.0.5
* 11.36.1.6
* 11.34.1.14
* 11.32.6.5
The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.
Acknowledgements
cPanel, Inc. would like to thank Patrick at Synhosting for reporting the vulnerability.
For the PGP Signed Message, please go here.
The following bug has been fixed:
[-] Fixed moderate security issue with leak of sensitive information. The issue can be exploited by authenticated users only. Authenticated users are users that have logins to Parallels Plesk Panel (such as your customers, resellers, or your employees). This MU is strongly recommended for all Parallels Plesk Panel users.
Parallels Plesk Panel 10.4.4 for Linux and Parallels Plesk Panel 11.0.9 for Linux are vulnerable only. Plesk 11.0.9: fixed in MU#50 (shows up as an Update – MU – in Panel) – see http://kb.parallels.com/116075 for more details