Newsroom

EasyApache 4 Sept 17 Release

September 17, 2019

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some of the highlights below, and then join us on SlackDiscord, or Reddit to talk about this update and much more.

2019-9-4

  • yum-plugin-universal-hooks
         ZC-5357: skip duplicate members to avoid running a hook more than once for no reason
  • scl-php54
  • scl-php55
  • scl-php56
  • scl-php70
  • scl-php71
  • scl-php72
  • scl-php73
         EA-8549: Build php-fpm with pcntl
  • libcurl
         EA-8649: Update libcurl from v7.65.3 to v7.66.0
  • ea-tomcat85
         EA-8645: Update spec file to use %{version} in source file
  • ea-openssl
         EA-8648: Update ea-openssl from v1.0.2s to v1.0.2t
  • ea-apache2-config
         EA-8591: Stop letting over-quota errors prevent creation of the session directory

This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.

SUMMARY
cPanel, L.L.C. has updated RPMs for EasyApache 4 with libcurl version 7.66.0 and OpenSSL version 1.0.2t. This release addresses vulnerabilities related to CVE-2019-5481, CVE-2019-5482, CVE-2019-1547, CVE-2019-1563, and CVE-2019-1552. We strongly encourage all libcurl users to upgrade to version 7.66.0 and all OpenSSL users to upgrade to version 1.0.2t.


AFFECTED VERSIONS
All versions of libcurl through 7.65.3
All versions of OpenSSL through 1.0.2s


SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2019-5481 – CRITICAL
libcurl 7.66.0
Fixed bug related to CVE-2019-5481

CVE-2019-5482 – CRITICAL
libcurl 7.66.0
Fixed bug related to CVE-2019-5482

CVE-2019-1547 – MEDIUM
OpenSSL 1.0.2t
Fixed bug related to CVE-2019-1547

CVE-2019-1563 – LOW
OpenSSL 1.0.2t
Fixed bug related to CVE-2019-1563

CVE-2019-1552 – LOW
OpenSSL 1.0.2t
Fixed bug related to CVE-2019-1552

SOLUTION
cPanel, L.L.C. has released updated RPMs for EasyApache 4 on September 17, 2019, with updated versions of libcurl 7.66.0 and OpenSSL 1.0.2t. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.


REFERENCES
https://nvd.nist.gov/vuln/detail/CVE-2019-5481
https://nvd.nist.gov/vuln/detail/CVE-2019-5482
https://nvd.nist.gov/vuln/detail/CVE-2019-1547
https://nvd.nist.gov/vuln/detail/CVE-2019-1563
https://nvd.nist.gov/vuln/detail/CVE-2019-1552
https://www.openssl.org/news/cl102.txt
https://curl.haxx.se/changes.html

For the PGP-signed message, please see EA4-2019-9-17-CVE.signed

More Information

Information about all releases this year can be found in the 2019 EasyApache 4 Changelog and the EasyApache 4 Release Notes. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the Product and Security updates mailing list on our website. You can also sign up for our EasyApache Development and EasyApache Production lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.