Newsroom

EasyApache 18 July 2017 Maintenance Release

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on July 18, 2017, with Apache version 2.4.27. This release addresses vulnerabilities related to CVE-2017-7679, CVE-2017-7668, CVE-2017-7659, CVE-2017-3169, and CVE-2017-3167. We strongly encourage all Apache 2.4 users to upgrade to version 2.4.27.

AFFECTED VERSIONS
All versions of Apache 2.4 through version 2.4.25

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-7679 – HIGH
Apache 2.4.27
Fixed bug in mod_mime related to CVE-2017-7679

CVE-2017-7668 – HIGH
Apache 2.4.27
Fixed bug in HTTP strict parsing related to CVE-2017-7668

CVE-2017-7659 – MEDIUM
Apache 2.4.27
Fixed bug in mod_http2 related to CVE-2017-7659

CVE-2017-3169 – HIGH
Apache 2.4.27
Fixed bug in mod_ssl related to CVE-2017-3169

CVE-2017-3167 – HIGH
Apache 2.4.27
Fixed bug in ap_get_basic_auth_pw() related to CVE-2017-3167

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on July 18, 2017, with an updated version of Apache 2.4.27. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7679
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7668
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7659
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3169
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3167
http://www.apache.org/dist/httpd/CHANGES_2.4

SUMMARY
cPanel, Inc. has released EasyApache 3.34.15 with Apache versions 2.2.34 and 2.4.27. This release addresses vulnerabilities related to CVE-2017-7679, CVE-2017-7668, CVE-2017-7659, CVE-2017-3169, and CVE-2017-3167. We strongly encourage all Apache 2.2 users to upgrade to version 2.2.34 and all apache 2.4 users to upgrade to version 2.4.27.

AFFECTED VERSIONS
All versions of Apache 2.2 through 2.2.32
All versions of Apache 2.4 through 2.4.25

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2017-7679 – HIGH
Apache 2.2.34
Fixed bug in mod_mime related to CVE-2017-7679

Apache 2.4.27
Fixed bug in mod_mime related to CVE-2017-7679

CVE-2017-7668 – HIGH
Apache 2.2.34
Fixed bug in HTTP strict parsing related to CVE-2017-7668

Apache 2.4.27
Fixed bug in HTTP strict parsing related to CVE-2017-7668

CVE-2017-7659 – MEDIUM
Apache 2.4.27
Fixed bug in mod_http2 related to CVE-2017-7659

CVE-2017-3169 – HIGH
Apache 2.2.34
Fixed bug in mod_ssl related to CVE-2017-3169

Apache 2.4.27
Fixed bug in mod_ssl related to CVE-2017-3169

CVE-2017-3167 – HIGH
Apache 2.2.34
Fixed bug in ap_get_basic_auth_pw() related to CVE-2017-3167

Apache 2.4.27
Fixed bug in ap_get_basic_auth_pw() related to CVE-2017-3167

SOLUTION
cPanel, Inc. has released EasyApache 3.34.15 with an updated versions of Apache 2.2.34 and Apache 2.4.27. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of Apache.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7679
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7668
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7659
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3169
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3167
http://www.apache.org/dist/httpd/CHANGES_2.2
http://www.apache.org/dist/httpd/CHANGES_2.4

For the PGP-Signed message, please see EA 2017-7-18 Signed CVE