Newsroom

EasyApache 16 February Release

February 16, 2023

cPanel, L.L.C. has released a security update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community ForumsDiscord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

  • ea-nghttp2
    • EA-11239: Update ea-nghttp2 from v1.51.0 to v1.52.0
  • ea-nginx
    • ZC-10615: Remove cleaning pipelog artifacts from init.d and chksrvd files
    • EA-11189: Exclude invalid certificate files from the Nginx config
  • ea-nginx-njs
    • EA-11224: Update ea-nginx-njs from v0.7.9 to v0.7.10
  • ea-php80
  • ea-php80-meta
    • EA-11227: Update ea-php80 from v8.0.27 to v8.0.28
      • – Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567)
      • – Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
      • – Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
  • ea-php81
  • ea-php81-meta
    • EA-11244: Update ea-php81 from v8.1.15 to v8.1.16
      • – Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567)
      • – Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
      • – Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
  • ea-php82
  • ea-php82-meta
    • EA-11226: Update ea-php82 from v8.2.2 to v8.2.3
      • – Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567)
      • – Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
      • – Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
  • ea-podman
    • ZC-10667: Change perms for nuewuidmap for Rocky 9
  • libcurl
    • EA-11241: Update libcurl from v7.87.0 to v7.88.0
      • – CVE-2023-23916: HTTP multi-header compression denial of service
      • – CVE-2023-23915: HSTS amnesia with –parallel
      • – CVE-2023-23914: HSTS ignored on multiple requests
  • mod_security2
    • EA-11134: Update mod_security2 from v2.9.6 to v2.9.7
      • Security impacting issues:
      • Fix: FILES_TMP_CONTENT may sometimes lack complete content

SUMMARY

cPanel, L.L.C. has updated packages for EasyApache 4 with PHP versions 8.0.28, 8.1.16, and 8.2.3, libcurl version 7.88.0, and ModSecurity 2.9.7. This release addresses vulnerabilities related to CVE-2023-0567, CVE-2023-0568, CVE-2023-0662, CVE-2023-23916, CVE-2023-23915, CVE-2023-23914, and CVE-2023-24021. We strongly encourage all PHP 8.0 users to upgrade to version 8.0.28, all PHP 8.1 users to upgrade to version 8.1.6, all PHP 8.2 users to upgrade to version 8.2.3,, all libcurl users to upgrade to version 7.88.0, and all ModSecurity users to upgrade to version 2.9.7.

AFFECTED VERSIONS
All versions of PHP 8.0 through 8.0.27.
All versions of PHP 8.1 through 8.1.15.
All versions of PHP 8.2 through 8.2.2.
All versions of libcurl through 7.87.0.
All versions of ModSecurity through 2.9.6.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2023-0567 – MEDIUM
PHP 8.0.28
Fixed vulnerability related to CVE-2023-0567.

PHP 8.1.16
Fixed vulnerability related to CVE-2023-0567.

PHP 8.2.3
Fixed vulnerability related to CVE-2023-0567.

CVE-2023-0568 – MEDIUM
PHP 8.0.28
Fixed vulnerability related to CVE-2023-0568.

PHP 8.1.16
Fixed vulnerability related to CVE-2023-0568.

PHP 8.2.3
Fixed vulnerability related to CVE-2023-0568.

CVE-2023-0662 – MEDIUM
PHP 8.0.28
Fixed vulnerability related to CVE-2023-0662.

PHP 8.1.16
Fixed vulnerability related to CVE-2023-0662.

PHP 8.2.3
Fixed vulnerability related to CVE-2023-0662.

CVE-2023-23916 – MEDIUM
libcurl 7.88.0
Fixed vulnerability related to CVE-2023-23916.

CVE-2023-23915 – MEDIUM
libcurl 7.88.0
Fixed vulnerability related to CVE-2023-23915.

CVE-2023-23914 – MEDIUM
libcurl 7.88.0
Fixed vulnerability related to CVE-2023-23914.

CVE-2023-24021 – CRITICAL
ModSecurity 2.9.7
Fixed vulnerability related to CVE-2023-24021.

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on February 16, 2023, with PHP versions 8.0.28, 8.1.16, and 8.2.3, libcurl version 7.88.0, and ModSecurity 2.9.7. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
https://www.cve.org/CVERecord?id=CVE-2023-23916
https://www.cve.org/CVERecord?id=CVE-2023-23915
https://www.cve.org/CVERecord?id=CVE-2023-23914
https://www.cve.org/CVERecord?id=CVE-2023-24021
https://www.php.net/ChangeLog-8.php#8.2.3
https://www.php.net/ChangeLog-8.php#8.1.16
https://www.php.net/ChangeLog-8.php#8.0.28
https://curl.se/changes.html
https://github.com/SpiderLabs/ModSecurity/releases

https://news.cpanel.com/wp-content/uploads/2023/02/EA4-2023-2-16-CVE.signed.txt

Information about all releases this year can be found in the 2023 EasyApache 4 Changelog and the EasyApache 4 Release Notes. You can also sign up for our EasyApache Development and EasyApache Production mailing lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.