-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SEC-650

Summary

cPanel Visitors UI does not always display direct apache access

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

If nginx is installed, then the cPanel Visitors UI does not display direct hits to the apache webserver.  
This could prevent a cPanel user from seeing malicious requests to their website.

Credits

This issue was discovered by John Lightsey

Solution

This issue is resolved in the following builds:
11.107.9999.94
11.106.0.9
11.102.0.24




SEC-651

Summary

Nginx stops logging all requests after log rotation via cpanellogd


Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N  

Description

If nginx is installed, and piped logging (splitlogs) are disabled, then nginx will stop logging all requests after the logs are
rotated via cpanellogd.

Credits

This issue was discovered by John Lightsey.

Solution

This issue is resolved in the following package:

ea-nginx-1.23.1-9
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmNEShwUHHNlY3VyaXR5
QGNwYW5lbC5uZXQACgkQlSG+3KvZTd+8Dg//TT7sJzdnJZ9W4JSwELZSzYPWmMSj
Q+o5v2a78/lk+WLswfT01WeGi1o3xQcYE4110gb9iR3eJ4TRO2TRU5ng112Mdjpd
QYkSeMW6qaHiHIsucEmhKx0WRs1xfl9cnSRi7ctFKcUwOn/+VJ/pCn2/lJpumBTZ
5EozrHr8rtyGBoxvBjX+7aSkxWi9RV8Oz0QPzTXnA2Xzix9ZtEBfn88yUu3YkQmf
YYa/dCq+5UsfneW17YL2QTwHAddIq3hug9xNQ/DFVjFtqrpQfIHbg8YTn7lb9xFp
eXjJu3yvyauy6FvJGXaOagy+fKwMDlbvoQhvlxvpsiOw2lIIT3u4vUgBu9Nnjn/0
2xiBRnfmyrLTDtDqUYWys9PzvVhhqUcFnJZ+xVjZxkmc96KG0sRsA8zVt90qZwZ0
5n3TEHsKzT3yWk43Mik6PDFwjg86lAOf7vYFXwfgb/Bnou9LTBIIf+R7lPZhvth+
icjBAmkotB4kgJbIixQvbI1xoGP+zYHwzR3/yXjGr58Je4jjPc7NsiT+nv2Ikpn1
dQ81lBLRh1M8as9NsE+6Ags8cbzMEJeCi0zobPKLKbGNaJOfnaBe9C7gYodW+B7p
aDsnszGteVaKCbdQSitaqaf3td+bt2hNkc99zSC7mb8VrGURdOPMPVS6OR7/POBW
mBPTZ1g0RoG86Sc=
=GxH6
-----END PGP SIGNATURE-----