Newsroom

EasyApache 25 January 2017 Maintenance Release

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with PHP version 5.6.30, 7.0.15, and 7.1.1. This release addresses vulnerabilities related to CVE-2016-10161, CVE-2016-10162, CVE-2017-5340, CVE-2016-7479, CVE-2016-10158, CVE-2016-10159, and CVE-2016-10160. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.30, all PHP 7.0 users to upgrade to version 7.0.15, and all PHP 7.1 users to upgrade to version 7.1.1.

AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.29
All versions of PHP 7.0 through 7.0.14
All versions of PHP 7.1 through 7.1.0

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-10161 – MEDIUM
PHP 5.6.30
Fixed bug in Standard library related to CVE-2016-10161

PHP 7.0.15
Fixed bug in Core related to CVE-2016-10161

PHP 7.1.1
Fixed bug in Core related to CVE-2016-10161

CVE-2016-10162 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2016-10162

PHP 7.1.1
Fixed bug in Core related to CVE-2016-10162

CVE-2017-5340 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340

PHP 7.1.1
Fixed bug in Core related to CVE-2017-5340

CVE-2016-7479 – HIGH
PHP 7.0.15
Fixed bug in Core related to CVE-2016-7479

CVE-2016-10158 – MEDIUM
PHP 5.6.30
Fixed bug in Exif extension related to CVE-2016-10158

PHP 7.0.15
Fixed bug in Exif extension related to CVE-2016-10158

PHP 7.1.1
Fixed bug in Exif extension related to CVE-2016-10158

CVE-2016-10160 – HIGH
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10160

PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10160

PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10160

CVE-2016-10159 – MEDIUM
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10159

PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10159

PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10159

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with updated versions of PHP 5.6, 7.0, and 7.1. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5340
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10161
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10162
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7479
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10158
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10159
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10160
http://www.php.net/ChangeLog-7.php
http://www.php.net/ChangeLog-5.php

For the PGP signed message, please see EA4 2017-1-25-CVE