Pending Removal of Atmail open plugin

Jun05
by Ike on June 5, 2012 at 2:51 pm
Posted In: Apache, CMS, Community, cPanel, Events, Releases, security, System

With cPanel & WHM 11.28 the ability for server owners to provide custom webmail applications was introduced. To demonstrate this feature we introduced the Atmail Open plugin.

Recently Atmail Inc., the creators of Atmail Open, decided to no longer provide the open source version of their product. Due to this change, cPanel will no longer distribute, or provide, the Atmail Open plugin via our Plugin service. The last update, 1.0.5, of the plugin was released in early May 2012. If you have not already, please verify your version of the plugin has been updated. The Atmail Open 1.0.5 release addresses some security issues.

In August 2012 we will no longer provide the Atmail Open Plugin. In anticipation of this we have marked the plugin as End of Life and will be provided in its current, and final, state. We will not release security patches for this application. After August 2012 the Atmail Open plugin will no longer be available for installation.

What does this mean for you?

If the Atmail Open plugin is installed on your server, it will continue to function. Since no further updates or fixes are forth coming on this application we encourage you to begin planning an exit strategy with your customers. From now until we remove the Atmail plugin in August 2012, you will be able to uninstall the application using the Manage Plugins interface in WHM. When we no longer provide the plugin, it can only be uninstalled using the following commands:

cd /usr/local/cpanel/modules-install/atmailopen-*

./uninstall 

If you have not installed the Atmail Open plugin, then no changes or action are needed.

Will cPanel Replace Atmail with something else?

We are not evaluating a replacement for Atmail Open, at this time. We currently provide three webmail clients: Horde, Roundcube, and Squirrelmail. There are a variety of webmail applications available in our application catalog.

We hope you enjoyed the use of Atmail Open while it was available.

└ Tags:
 Comment 

Targeted Security Release 2012-05-31 Disclosure

Jun04
by Ike on June 4, 2012 at 8:06 pm
Posted In: Apache, CMS, Community, cPanel, Events, Releases, security, System

The following disclosure covers the Targeted Security Release 2012-05-31. Each vulnerability is assigned an internal case number which is reflected below.

Information regarding cPanel’s Security Level rankings can be found here:

http://go.cpanel.net/securitylevels

 

Case 59634 

Summary 

Arbitrary File Write vulnerability in Apache Piped Log Configuration

Security Rating  

cPanel has assigned a Security Level of “Important” to this vulnerability. An important rating applies to vulnerabilities that allow system authentication levels to be compromised. These include allowing local users to elevate their privilege levels, unauthenticated remote users to see resources that should require authentication to view, the execution of arbitrary code by remote users, or any local or remote attack that could result in an denial of service.

Description 

When using the Apache Piped Log Configuration, a sophisticated attacker could manually format log messages to take advantage of insufficient input validation in the splitlogs binary. When combined with a directory traversal attack, this vulnerability could allow the attacker to write to arbitrary files on the system.

This vulnerability was discovered by the cPanel Quality Assurance Team. The Apache Piped Log Configuration is a feature which is disabled by default.

Solution 

This issue is resolved in the following builds: 

  • 11.32.3.19 and greater
  • 11.32.2.28 and greater
  • 11.30.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

Additionally, this vulnerability is only present when the Apache Piped Log Configuration is in use.

http://httpupdate.cpanel.net/

 

Case 59656

Summary 

Arbitrary Code Execution through cPDAVd

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability. An important rating applies to vulnerabilities that allow system authentication levels to be compromised. These include allowing local users to elevate their privilege levels, unauthenticated remote users to see resources that should require authentication to view, the execution of arbitrary code by remote users, or any local or remote attack that could result in an denial of service.

Description

This is a vulnerability in the cPanel WebDAV implementation, cPDAVd. It would allow an authenticated user the ability to execute arbitrary code through improperly sanitized filenames.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

  • 11.32.3.19 and greater
  • 11.32.2.28 and greater
  • 11.30.6.8 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.

 

└ Tags: ,
 Comment 

cPanel releases cPanel & WHM 11.32.3.19 to RELEASE tier

Jun04
by Ike on June 4, 2012 at 5:40 pm
Posted In: Apache, CMS, Community, cPanel, Events, Releases, security, System

cPanel is pleased to announce the release of cPanel & WHM 11.32.3.19 to the RELEASE tier. This monumental release comes from a new development style; focusing on delivering resolution to cases as soon as possible instead of waiting for the next major version. This release addresses over 200 cases that will provide numerous bug fixes and updates. 

Due to the volume of resolved cases, there is no overall theme to the update. Updates of note include:

  • Reduction in noise from yum in CentOS 6.
  • Suppression of false positive messages from cphulkd.
  • Resolved an issue when adding non-Class-C subnets masks.
  • Updates were made to MySQL 5.1 and 5.5
  • Fixed a race condition when update_sa_rules –background is run.

We highly recommend that all users on the RELEASE tier update to this version. We also recommend that all application developers test their code against this release to ensure third-party code runs correctly with the new release.

To update cPanel & WHM manually:  

  1. Log into WHM as the root user. 
  2. Click on the WHM 11.32.X (build X) link on the top right corner of the screen.
  3. Click the button labeled Click to Upgrade.

Visit the cPanel & WHM 11.32 Change Log to read more

└ Tags: , , ,
 Comment 

Plesk 10.4.4 for Ubuntu 12.04 has been released

Jun04
by Ike on June 4, 2012 at 9:29 am
Posted In: Plesk, Releases

Links to autoinstaller:
http://download1.parallels.com/Plesk/PP10/10.4.4/Ubuntu12/parallels_installer_v3.12.0_build120601.16_os_Ubuntu_12.04_i386
http://download1.parallels.com/Plesk/PP10/10.4.4/Ubuntu12/parallels_installer_v3.12.0_build120601.16_os_Ubuntu_12.04_x86_64

Templates for Parallels Virtuozzo Containers will be released later.

 Comment 

Parallels Plesk 10.4.4 Ubuntu 12.04 support

Jun03
by Ike on June 3, 2012 at 8:00 pm
Posted In: Plesk, Releases

Plesk Panel 10.4.4 for Ubuntu 12.04 support – new OS version support – is available since June 4, 2012 through the Autoinstaller.
Download page: http://www.parallels.com/download/plesk/10/
Links to Autoinstaller:
http://download1.parallels.com/Plesk/PP10/10.4.4/Ubuntu12/parallels_installer_v3.12.0_build120601.16_os_Ubuntu_12.04_i386
http://download1.parallels.com/Plesk/PP10/10.4.4/Ubuntu12/parallels_installer_v3.12.0_build120601.16_os_Ubuntu_12.04_x86_64

└ Tags: ,
 Comment 

50 queries. 8.75 mb Memory usage. 0.260 seconds.