Newsroom

EasyApache4 2024-07-10 Maintenance and Security Release

cPanel, L.L.C. has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community ForumsDiscord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

  • ea-nodejs18
    • EA-12274: Update ea-nodejs18 from v18.20.3 to v18.20.4
      – CVE-2024-36138 – Bypass incomplete fix of CVE-2024-27980 (High)
      – CVE-2024-22020 – Bypass network import restriction via data URL (Medium)
  • ea-nodejs20
    • EA-12264: Update ea-nodejs20 from v20.15.0 to v20.15.1
      – CVE-2024-36138 – Bypass incomplete fix of CVE-2024-27980 (High)
      – CVE-2024-22020 – Bypass network import restriction via data URL (Medium)
      – CVE-2024-22018 – fs.lstat bypasses permission model (Low)
      – CVE-2024-36137 – fs.fchown/fchmod bypasses permission model (Low)
      – CVE-2024-37372 – Permission model improperly processes UNC paths (Low)
  • ea-nodejs22
    • EA-12265: Update ea-nodejs22 from v22.3.0 to v22.4.1
      – CVE-2024-36138 – Bypass incomplete fix of CVE-2024-27980 (High)
      – CVE-2024-22020 – Bypass network import restriction via data URL (Medium)
      – CVE-2024-22018 – fs.lstat bypasses permission model (Low)
      – CVE-2024-36137 – fs.fchown/fchmod bypasses permission model (Low)
      – CVE-2024-37372 – Permission model improperly processes UNC paths (Low)
  • ea-apache24
    • EA-12261: Update ea-apache2 from v2.4.59 to v2.4.61
      – important: Apache HTTP Server: source code disclosure with handlers configured via AddType (CVE-2024-39884)
      – low: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2 (CVE-2024-36387)
      – important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472)
      – moderate: Apache HTTP Server proxy encoding problem (CVE-2024-38473)
      – important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474)
      – important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)
      – important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)
      – important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)
      – moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573)
  • ea-openssl11
    • EA-12205: Patch ea-openssl11 for CVE-2024-4741

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on July 10, 2024. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

Information about all releases this year can be found in the 2024 EasyApache 4 Changelog and the EasyApache 4 Release Notes.