Update 5:14pm Central US Time: Some customers encountered errors with our mod_security2 update to 2.9.3 and we have removed it from our mirrors to prevent further problems. There was a two-hour window where server owners may have upgraded. If you find a server experiencing problems with mod_security in that condition, one potential solution may be to downgrade the mod_security RPM to resolve the issue using the command below.
yum downgrade ea-apache24-mod_security2
We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! This release includes updates to multiple modules including apr, libcurl, nodejs10, sourceguardian, and ruby24. Take a look at some highlights below, and then join us on Slack, Discord, or Reddit to talk about this update and much more.
• EA-8471 – Update apr from v1.6.5 to v1.7.0
• EA-8436 – Mailman aliases exist in httpd.conf after it’s disabled via Tweak Settings
• EA-8462 – Update freetds from 1.00.27 to 1.1.6
• EA-8473 – Update ea-nghttp2 from v1.32.0 to v1.38.0
• EA-8469 – Update ea-nodejs10 from v10.15.0 to v10.15.3
• EA-8475 – Update libcurl from v7.64.1 to v7.65.0
• CVE-2019-5435: Integer overflows in curl_url_set
• CVE-2019-5436: tftp: use the current blksize for recvfrom()
• EA-8081 – Update Mod_security2 to 2.9.3
• EA-8465 – Update Sourceguardian to 11.3
• EA-8466 – Update ea-ruby24 to 2.4.6
• CVE-2019-8320: Delete directory using symlink when decompressing tar
• CVE-2019-8321: Escape sequence injection vulnerability in verbose
• CVE-2019-8322: Escape sequence injection vulnerability in gem owner
• CVE-2019-8323: Escape sequence injection vulnerability in API response handling
• CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
• CVE-2019-8325: Escape sequence injection vulnerability in errors
This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.
cPanel, L.L.C. has updated RPMs for EasyApache 4 with libcurl version 7.65.0 and Ruby version 2.4.6. This release addresses vulnerabilities related to CVE-2019-5435, CVE-2019-5436, CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, and CVE-2019-8325. We strongly encourage all libcurl users to upgrade to version 7.65.0 and all Ruby users to upgrade to version 2.4.6.
All versions of libcurl through 7.64.1
All versions of Ruby through 2.4.5
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2019-5435 – MEDIUM
Fixed bug related to CVE-2019-5435
CVE-2019-5436 – MEDIUM
Fixed bug related to CVE-2019-5436
CVE-2019-8320 – MEDIUM
Fixed bug related to CVE-2019-8320
CVE-2019-8321 – MEDIUM
Fixed bug related to CVE-2019-8321
CVE-2019-8322 – MEDIUM
Fixed bug related to CVE-2019-8322
CVE-2019-8323 – MEDIUM
Fixed bug related to CVE-2019-8323
CVE-2019-8324 – MEDIUM
Fixed bug related to CVE-2019-8324
CVE-2019-8325 – MEDIUM
Fixed bug related to CVE-2019-8325
cPanel, L.L.C. has released updated RPMs for EasyApache 4 on MAY 29, 2019, with updated versions of libcurl version 7.65.0 and Ruby version 2.4.6. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.
For the PGP-signed message, please see EA4-2019-5-29-CVE.signed.
Information about all releases this year can be found in the 2019 EasyApache 4 Changelog and the EasyApache 4 Release Notes. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the Product and Security updates mailing list on our website. You can also sign up for our EasyApache Development and EasyApache Production lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.