Newsroom

EasyApache 4 November 9 Release

November 9, 2022

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community ForumsDiscord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

  • ea-nodejs16
    • EA-11040: Update ea-nodejs16 from v16.18.0 to v16.18.1
    • (CVE-2022-43548) DNS rebinding in –inspect via invalid octal IP address (Medium)
  • ea-openssl11
    • EA-11035: Update ea-openssl11 from v1.1.1q to v1.1.1s
  • ea-nginx
    • EA-10670: Add better guards against bad userdata to configuration script
    • EA-11004: Fix Passenger restart failures after reboot
  • ea-apache24-mod-passenger
    • EA-11018: Fix Passenger instance registry directory for fresh installs
    • EA-10997: Fix Passenger instance registry directory on Ubuntu
  • ea-php74
  • ea-php74-meta
    • EA-11038: Update ea-php74 from v7.4.32 to v7.4.33
    • GD:
      • Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
    • Hash:
      • Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454)

This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.

SUMMARY
cPanel, L.L.C. has updated packages for EasyApache 4 with PHP version 7.4.33 and ea-nodejs16 version 16.18.1. This release addresses vulnerabilities related to CVE-2022-31630, CVE-2022-37454, and CVE-2022-43548. We strongly encourage all PHP 7.4 users to update to version 7.4.33 and all ea-nodejs16 users to update to version 16.18.1.

AFFECTED VERSIONS
All versions of PHP 7.4 through 7.4.32.
All versions of ea-nodejs16 through 16.18.0.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2022-31630 – HIGH
PHP 7.4.33
Fixed vulnerability related to CVE-2022-31630.

CVE-2022-37454 – CRITICAL
PHP 7.4.33
Fixed vulnerability related to CVE-2022-37454.

CVE-2022-43548 – MEDIUM
Ea-nodejs16 16.18.1
Fixed vulnerability related to CVE-2022-43548

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on November 9, 2022, with PHP version 7.4.33 and ea-nodejs16 version 16.18.1. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
https://www.php.net/ChangeLog-7.php#7.4.33
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.18.1

https://news.cpanel.com/wp-content/uploads/2022/11/EA4-2022-11-9-CVE.signed.txt