SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on September 6, 2017, with PHP versions 7.0.23 and 7.1.9 and RubyGems 2.6.13. This release addresses vulnerabilities related to CVE-2017-12932, CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, and CVE-2017-0901. We strongly encourage all all PHP 7.0 users to upgrade to version 7.0.23, all PHP 7.1 users to upgrade to version 7.1.9, and all RubyGems users to upgrade to version 2.6.13.
AFFECTED VERSIONS
All versions of PHP 7.0 through 7.0.22
All versions of PHP 7.1 through 7.1.8
All versions of RubyGems through 2.6.12
SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2017-12932 – HIGH
PHP 7.0.23
Fixed bug in the standard library related to CVE-2017-12932
PHP 7.1.9
Fixed bug in the standard library related to CVE-2017-12932
CVE-2017-0902 – HIGH
RubyGems 2.6.13
Fix a DNS request hijacking vulnerability related to CVE-2017-0902
CVE-2017-0899 – HIGH
RubyGems 2.6.13
Fix an ANSI escape sequence vulnerability r elated to CVE-2017-0899
CVE-2017-0900 – HIGH
RubyGems 2.6.13
Fix a DOS vulernerability in the `query` command replated to CVE-2017-0900
CVE-2017-0901 – HIGH
RubyGems 2.6.13
Fix a vulnerability in the gem installer related to CVE-2017-0901
SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on September 6, 2017, with updated versions of PHP 7.0 and 7.1 and RubyGems version 2.6.13. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.
REFERENCES
https://nvd.nist.gov/vuln/detail/CVE-2017-12932
https://nvd.nist.gov/vuln/detail/CVE-2017-0899
https://nvd.nist.gov/vuln/detail/CVE-2017-0900
https://nvd.nist.gov/vuln/detail/CVE-2017-0901
https://nvd.nist.gov/vuln/detail/CVE-2017-0902
http://www.php.net/ChangeLog-7.php
https://github.com/rubygems/rubygems/blob/master/History.txt
For the PGP signed message, please see EA4 2017-9-5 CVE