Newsroom

EasyApache4 2024-02-21 Maintenance and Security Release

February 21, 2024

cPanel, L.L.C. has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community ForumsDiscord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

  • ea-cpanel-tools
    • ZC-11501: Allow compatibility between profiles from RHEL to DEB and vice versa
    • ZC-11627: Update manifest under canonical write so its ordered correctly
  • ea-nginx
    • EA-11973: Update ea-nginx from v1.25.3 to v1.25.4
  • ea-nginx-njs
  • ea-nginx-echo
  • ea-nginx-headers-more
  • ea-nginx-passenger
  • ea-modsec30-connector-nginx
    • EA-11973: Build against ea-nginx version v1.25.4
  • ea-php82
  • ea-php82-meta
    • EA-11977: Update ea-php82 from v8.2.15 to v8.2.16
  • ea-php83
  • ea-php83-meta
    • EA-11978: Update ea-php83 from v8.3.2 to v8.3.3
  • ea-nodejs20
    • EA-11975: Update ea-nodejs20 from v20.11.0 to v20.11.1
      • CVE-2024-21892 – Code injection and privilege escalation through Linux capabilities- (High)
      • CVE-2024-22019 – http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
      • CVE-2024-21896 – Path traversal by monkey-patching Buffer internals- (High)
      • CVE-2024-22017 – setuid() does not drop all privileges due to io_uring – (High)
      • CVE-2023-46809 – Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) – (Medium)
      • CVE-2024-21891 – Multiple permission model bypasses due to improper path traversal sequence sanitization – (Medium)
      • CVE-2024-21890 – Improper handling of wildcards in –allow-fs-read and –allow-fs-write (Medium)
      • CVE-2024-22025 – Denial of Service by resource exhaustion in fetch() brotli decoding – (Medium)
  • ea-nodejs18
    • EA-11974: Update ea-nodejs18 from v18.19.0 to v18.19.1
      • CVE-2024-21892 – Code injection and privilege escalation through Linux capabilities- (High)
      • CVE-2024-22019 – http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
      • CVE-2023-46809 – Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) – (Medium)
      • CVE-2024-22025 – Denial of Service by resource exhaustion in fetch() brotli decoding – (Medium)
  • ea-tomcat85
    • EA-11979: Update ea-tomcat85 from v8.5.98 to v8.5.99

SUMMARY

cPanel, L.L.C. has updated packages for EasyApache 4 with NodeJS versions 20.11.1 and 1819.1. This release addresses vulnerabilities related to CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017, CVE-2023-46809, CVE-2024-21891, CVE-2024-21890, and CVE-2024-22025. We strongly encourage all NodeJS 20 users to upgrade to version 20.11.1 and all NodeJS 18 users to upgrade to version 18.19.1.

AFFECTED VERSIONS
All versions of NodeJS 20 through 20.11.0.
All versions of NodeJS 18 through 18.19.0.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2024-21892 – MEDIUM
NodeJS 18.19.1
Fixed vulnerability related to CVE-2024-21892.

NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-21892.

CVE-2024-22019 – MEDIUM
NodeJS 18.19.1
Fixed vulnerability related to CVE-2024-22019.

NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-22019.

CVE-2024-21896 – MEDIUM
NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-21896.

CVE-2024-22017 – MEDIUM
NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-22017.

CVE-2023-46809 – MEDIUM
NodeJS 18.19.1
Fixed vulnerability related to CVE-2023-46809.

NodeJS 20.11.1
Fixed vulnerability related to CVE-2023-46809.

CVE-2024-21891 – MEDIUM
NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-21891.

CVE-2024-21890 – MEDIUM
NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-21890.

CVE-2024-22025 – MEDIUM
NodeJS 18.19.1
Fixed vulnerability related to CVE-2024-22025.

NodeJS 20.11.1
Fixed vulnerability related to CVE-2024-22025.

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on February 21, 2024, with NodeJS versions 18.19.1 and 20.11.1. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://www.cve.org/CVERecord?id=CVE-2024-22019
https://www.cve.org/CVERecord?id=CVE-2024-21896
https://www.cve.org/CVERecord?id=CVE-2024-22017
https://www.cve.org/CVERecord?id=CVE-2023-46809
https://www.cve.org/CVERecord?id=CVE-2024-21891
https://www.cve.org/CVERecord?id=CVE-2024-21892
https://www.cve.org/CVERecord?id=CVE-2024-21890
https://www.cve.org/CVERecord?id=CVE-2024-22025
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md

Information about all releases this year can be found in the 2024 EasyApache 4 Changelog and the EasyApache 4 Release Notes.

https://news.cpanel.com/wp-content/uploads/2024/02/EA4-2024-2-21-CVE.signed.txt