{"id":12843,"date":"2019-07-02T07:36:00","date_gmt":"2019-07-02T07:36:00","guid":{"rendered":"http:\/\/news.cpanel.com\/?p=57075"},"modified":"2019-07-02T07:36:00","modified_gmt":"2019-07-02T07:36:00","slug":"easyapache-4-may-29-release","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/easyapache-4-may-29-release\/","title":{"rendered":"EasyApache 4 May 29 Release"},"content":{"rendered":"
\"\"<\/div>\n

Update 5:14pm Central US Time: Some customers encountered errors with our mod_security2 update to 2.9.3 and we have removed it from our mirrors to prevent further problems. There was a two-hour window where server owners may have upgraded. If you find a server experiencing problems with mod_security in that condition, one potential solution may be to downgrade the mod_security RPM to resolve the issue using the command below. <\/em><\/p>\n

yum downgrade ea-apache24-mod_security2<\/em><\/p>\n

\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>\n

We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4!  This release includes updates to multiple modules including apr, libcurl, nodejs10, sourceguardian, and ruby24. Take a look at some highlights below, and then join us on Slack<\/a>, Discord<\/a>, or Reddit<\/a> to talk about this update and much more.<\/p>\n

\u2022 apr<\/strong>
     \u2022 EA-8471 \u2013 Update apr from v1.6.5 to v1.7.0<\/p>\n

\u2022 ea-apache2-config<\/strong>
     \u2022 EA-8436 \u2013 Mailman aliases exist in httpd.conf after it\u2019s disabled via Tweak Settings<\/p>\n

\u2022 ea-freetds<\/strong>
     \u2022 EA-8462 \u2013 Update freetds from 1.00.27 to 1.1.6<\/p>\n

\u2022 ea-nghttp2<\/strong>
     \u2022 EA-8473 \u2013 Update ea-nghttp2 from v1.32.0 to v1.38.0<\/p>\n

\u2022 ea-nodejs10<\/strong>
     \u2022 EA-8469 \u2013 Update ea-nodejs10 from v10.15.0 to v10.15.3<\/p>\n

\u2022 libcurl<\/strong>
     \u2022 EA-8475 \u2013 Update libcurl from v7.64.1 to v7.65.0
     \u2022 CVE-2019-5435: Integer overflows in curl_url_set
     \u2022 CVE-2019-5436: tftp: use the current blksize for recvfrom()<\/p>\n

\u2022 mod_security2<\/strong>
     \u2022 EA-8081 \u2013 Update Mod_security2 to 2.9.3<\/p>\n

\u2022 scl-sourceguardian<\/strong>
     \u2022 EA-8465 \u2013 Update Sourceguardian to 11.3<\/p>\n

\u2022 ea-ruby24<\/strong>
\u2022 ea-ruby24-meta<\/strong>
     \u2022 EA-8466 \u2013 Update ea-ruby24 to 2.4.6
     \u2022 CVE-2019-8320: Delete directory using symlink when decompressing tar
     \u2022 CVE-2019-8321: Escape sequence injection vulnerability in verbose
     \u2022 CVE-2019-8322: Escape sequence injection vulnerability in gem owner
     \u2022 CVE-2019-8323: Escape sequence injection vulnerability in API response handling
     \u2022 CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
     \u2022 CVE-2019-8325: Escape sequence injection vulnerability in errors<\/p>\n

This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.<\/p>\n

SUMMARY<\/strong>
cPanel, L.L.C. has updated RPMs for EasyApache 4 with libcurl version 7.65.0 and Ruby version 2.4.6. This release addresses vulnerabilities related to CVE-2019-5435, CVE-2019-5436, CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, and CVE-2019-8325. We strongly encourage all libcurl users to upgrade to version 7.65.0 and all Ruby users to upgrade to version 2.4.6.<\/p>\n

AFFECTED VERSIONS<\/strong>
All versions of libcurl through 7.64.1
All versions of Ruby through 2.4.5<\/p>\n

SECURITY RATING<\/strong>
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:<\/p>\n

CVE-2019-5435 \u2013 MEDIUM
libcurl 7.65.0
Fixed bug related to CVE-2019-5435<\/p>\n

CVE-2019-5436 \u2013 MEDIUM
libcurl 7.65.0
Fixed bug related to CVE-2019-5436<\/p>\n

CVE-2019-8320 \u2013 MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8320<\/p>\n

CVE-2019-8321 \u2013 MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8321<\/p>\n

CVE-2019-8322 \u2013 MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8322<\/p>\n

CVE-2019-8323 \u2013 MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8323<\/p>\n

CVE-2019-8324 \u2013 MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8324<\/p>\n

CVE-2019-8325 \u2013 MEDIUM
Ruby 2.4.6
Fixed bug related to CVE-2019-8325<\/p>\n

SOLUTION<\/strong>
cPanel, L.L.C. has released updated RPMs for EasyApache 4 on MAY 29, 2019, with updated versions of libcurl version 7.65.0 and Ruby version 2.4.6. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM\u2019s Run System Update interface.<\/p>\n

REFERENCES<\/strong>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-5435<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-5436<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-8320<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-8321<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-8322<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-8323<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-8324<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-8325<\/a>
https:\/\/curl.haxx.se\/changes.html<\/a>
https:\/\/www.ruby-lang.org\/en\/news\/2019\/03\/05\/multiple-vulnerabilities-in-rubygems\/<\/a><\/p>\n

For the PGP-signed message, please see EA4-2019-5-29-CVE.signed<\/a>.<\/p>\n

More Information<\/strong><\/p>\n

Information about all releases this year can be found in the 2019 EasyApache 4 Changelog<\/a> and the EasyApache 4 Release Notes<\/a>. To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the Product and Security updates mailing list on our website.<\/a> You can also sign up for our EasyApache Development<\/a> and EasyApache Production<\/a> lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.<\/p>\n

\u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0648 \u0645\u0634\u0627\u0648\u0631\u0647 – \u062b\u0628\u062a \u062f\u0627\u0645\u0646\u0647<\/p>\n","protected":false},"excerpt":{"rendered":"

Update 5:14pm Central US Time: Some customers encountered errors with our mod_security2 update to 2.9.3 and we have removed it from our mirrors to prevent further problems. There was a two-hour window where server owners may have upgraded. If you find a server experiencing problems with mod_security in that condition, one potential solution may be …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-12843","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=12843"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/12843\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=12843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=12843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=12843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}