Newsroom

EasyApache June 15 Release

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

  • ea-apache24
    • EA-10756: Update ea-apache2 from v2.4.53 to v2.4.54
    • CVE-2022-26377: mod_proxy_ajp: Possible request smuggling
    • CVE-2022-28330: Read beyond bounds in mod_isapi
    • CVE-2022-28614: Read beyond bounds via ap_rwrite()
    • CVE-2022-28615: Read beyond bounds in ap_strcmp_match()
    • CVE-2022-29404: Denial of service in mod_lua r:parsebody
    • CVE-2022-30522: mod_sed: Denial of service
    • CVE-2022-30556: Information Disclosure in mod_lua with websockets
    • CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
  • ea-nodejs16
    • EA-10748: Update ea-nodejs16 from v16.15.0 to v16.15.1
  • ea-tomcat85
    • EA-10761: Update ea-tomcat85 from v8.5.79 to v8.5.81
  • ea-php74
  • ea-php74-meta
    • EA-10757: Update ea-php74 from v7.4.29 to v7.4.30
      • mysqlnd:
        • Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
      • pgsql:
        • Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) 
  • ea-php80
  • ea-php80-meta
    • EA-10760: Update ea-php80 from v8.0.19 to v8.0.20
      • mysqlnd:
        • Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
      • pgsql:
        • Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625)
  • ea-php81
  • ea-php81-meta
    • EA-10758: Update ea-php81 from v8.1.6 to v8.1.7
      • mysqlnd:
        • Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
      • pgsql:
        • Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) 
  • ea-podman
    • ZC-9993: Add script for dev/QA/smold4r to be able to test against internal docker hub
  • ea-podman-repo
    • ZC-10010: enable powertools on Rocky 8
  • ea-nginx
    • ZC-9940: Change worker_processes default back to 1
    • ZC-9940: Have worker_shutdown_timeout default to 10 seconds

SUMMARY
cPanel, L.L.C. has updated packages for EasyApache 4 with PHP versions 7.4.30, 8.0.20, and 8.1.7 and Apache version 2.4.54. This release addresses vulnerabilities related to CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813, CVE-2022-31626, and CVE-2022-31625. We strongly encourage all PHP 7.4 users to update to version 7.4.30, all PHP 8.0 users to update to version 8.0.20, all PHP 8.1 users to update to version 8.1.7, and all Apache users to update to version 2.4.54.

AFFECTED VERSIONS
All versions of PHP 7.4 through 7.4.29.
All versions of PHP 8.0 through 8.0.19.
All versions of PHP 8.1 through 8.1.6.
All versions of Apache through 2.4.53.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2022-26377 – MEDIUM
Apache 2.4.54
Fixed vulnerability in the mod_proxy_ajp module related to CVE-2022-26377.

CVE-2022-28330 – MEDIUM
Apache 2.4.54
Fixed vulnerability in the mod_isapi module related to CVE-2022-28330.

CVE-2022-28614 – MEDIUM
Apache 2.4.54
Fixed vulnerability related to CVE-2022-28614.

CVE-2022-28615 – MEDIUM
Apache 2.4.54
Fixed vulnerability related to CVE-2022-28615.

CVE-2022-29404 – MEDIUM
Apache 2.4.54
Fixed vulnerability in the mod_lua module related to CVE-2022-29404.

CVE-2022-30522 – MEDIUM
Apache 2.4.54
Fixed vulnerability in the mod_sed module related to CVE-2022-30522.

CVE-2022-30556 – MEDIUM
Apache 2.4.54
Fixed vulnerability in the mod_lua module related to CVE-2022-30556.

CVE-2022-31813 – MEDIUM
Apache 2.4.54
Fixed vulnerability in the mod_proxy module related to CVE-2022-31813.

CVE-2022-31626 – MEDIUM
PHP 7.4.30

More Information

Information about all releases this year can be found in the 2022 EasyApache 4 Changelog and the EasyApache 4 Release Notes. You can also sign up for our EasyApache Development and EasyApache Production mailing lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.