Newsroom

EasyApache 4 May 29 Release

Update 5:14pm Central US Time: Some customers encountered errors with our mod_security2 update to 2.9.3 and we have removed it from our mirrors to prevent further problems. There was a two-hour window where server owners may have upgraded. If you find a server experiencing problems with mod_security in that condition, one potential solution may be to downgrade the mod_security RPM to resolve the issue using the command below. 

yum downgrade ea-apache24-mod_security2

————————

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4!  This release includes updates to multiple modules including apr, libcurl, nodejs10, sourceguardian, and ruby24. Take a look at some highlights below, and then join us on SlackDiscord, or Reddit to talk about this update and much more.

• apr
     • EA-8471 – Update apr from v1.6.5 to v1.7.0

• ea-apache2-config
     • EA-8436 – Mailman aliases exist in httpd.conf after it’s disabled via Tweak Settings

• ea-freetds
     • EA-8462 – Update freetds from 1.00.27 to 1.1.6

• ea-nghttp2
     • EA-8473 – Update ea-nghttp2 from v1.32.0 to v1.38.0

• ea-nodejs10
     • EA-8469 – Update ea-nodejs10 from v10.15.0 to v10.15.3

• libcurl
     • EA-8475 – Update libcurl from v7.64.1 to v7.65.0
     • CVE-2019-5435: Integer overflows in curl_url_set
     • CVE-2019-5436: tftp: use the current blksize for recvfrom()

• mod_security2
     • EA-8081 – Update Mod_security2 to 2.9.3

• scl-sourceguardian
     • EA-8465 – Update Sourceguardian to 11.3

• ea-ruby24
• ea-ruby24-meta
     • EA-8466 – Update ea-ruby24 to 2.4.6
     • CVE-2019-8320: Delete directory using symlink when decompressing tar
     • CVE-2019-8321: Escape sequence injection vulnerability in verbose
     • CVE-2019-8322: Escape sequence injection vulnerability in gem owner
     • CVE-2019-8323: Escape sequence injection vulnerability in API response handling
     • CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
     • CVE-2019-8325: Escape sequence injection vulnerability in errors

This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.

SUMMARY
cPanel, L.L.C. has updated RPMs for EasyApache 4 with libcurl version 7.65.0 and Ruby version 2.4.6. This release addresses vulnerabilities related to CVE-2019-5435, CVE-2019-5436, CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, and CVE-2019-8325. We strongly encourage all libcurl users to upgrade to version 7.65.0 and all Ruby users to upgrade to version 2.4.6.


AFFECTED VERSIONS
All versions of libcurl through 7.64.1
All versions of Ruby through 2.4.5


SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2019-5435 – MEDIUM
libcurl 7.65.0
Fixed bug related to CVE-2019-5435

CVE-2019-5436 – MEDIUM
libcurl 7.65.0
Fixed bug related to CVE-2019-5436

CVE-2019-8320 – MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8320

CVE-2019-8321 – MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8321

CVE-2019-8322 – MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8322

CVE-2019-8323 – MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8323

CVE-2019-8324 – MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8324

CVE-2019-8325 – MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8325

SOLUTION
cPanel, L.L.C. has released updated RPMs for EasyApache 4 on MAY 29, 2019, with updated versions of libcurl version 7.65.0 and Ruby version 2.4.6. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.


REFERENCES
https://nvd.nist.gov/vuln/detail/CVE-2019-5435
https://nvd.nist.gov/vuln/detail/CVE-2019-5436
https://nvd.nist.gov/vuln/detail/CVE-2019-8320
https://nvd.nist.gov/vuln/detail/CVE-2019-8321
https://nvd.nist.gov/vuln/detail/CVE-2019-8322
https://nvd.nist.gov/vuln/detail/CVE-2019-8323
https://nvd.nist.gov/vuln/detail/CVE-2019-8324
https://nvd.nist.gov/vuln/detail/CVE-2019-8325
https://curl.haxx.se/changes.html
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/

For the PGP-signed message, please see EA4-2019-5-29-CVE.signed.

More Information

Information about all releases this year can be found in the 2019 EasyApache 4 Changelog and the EasyApache 4 Release Notes. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the Product and Security updates mailing list on our website. You can also sign up for our EasyApache Development and EasyApache Production lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.