{"id":49445,"date":"2023-10-12T22:25:53","date_gmt":"2023-10-12T19:25:53","guid":{"rendered":"https:\/\/news.cpanel.com\/?p=62293"},"modified":"2023-10-12T22:25:53","modified_gmt":"2023-10-12T19:25:53","slug":"easyapache4-2023-10-12-maintenance-and-security-release","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/easyapache4-2023-10-12-maintenance-and-security-release\/","title":{"rendered":"EasyApache4 2023-10-12 Maintenance and Security Release"},"content":{"rendered":"<p>cPanel, L.L.C. has released a security update for&nbsp;<a href=\"https:\/\/docs.cpanel.net\/ea4\/basics\/introduction-to-easyapache-4\/\" target=\"_blank\" rel=\"noopener\">EasyApache 4!<\/a>&nbsp; Take a look at some highlights below, and then join us on&nbsp;the&nbsp;<a href=\"https:\/\/forums.cpanel.net\/forums\/cpanel-announcements.133\/\" target=\"_blank\" rel=\"noopener\">cPanel Community Forums<\/a>,&nbsp;<a href=\"https:\/\/go.cpanel.net\/discord\" target=\"_blank\" rel=\"noopener\">Discord<\/a>,&nbsp;or&nbsp;<a href=\"https:\/\/reddit.com\/r\/cpanel\/\" target=\"_blank\" rel=\"noopener\">Reddit<\/a>&nbsp;to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.<\/p>\n<ul>\n<li><strong>ea-apache2<\/strong>\n<ul>\n<li>EA-11729: Rebuild mod_http2 against updated ea-nghttp2 for CVE-2023-44487<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-libcurl<\/strong>\n<ul>\n<li>EA-11731: Update libcurl from v8.3.0 to v8.4.0<\/li>\n<li>CVE-2023-38545 \u2013 SOCKS5 heap buffer overflow<\/li>\n<li>CVE-2023-38546 \u2013 cookie injection with none file<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-tomcat85<\/strong><\/li>\n<li><strong>ea-tomcat100<\/strong><\/li>\n<li><strong>ea-tomcat101&nbsp;<\/strong>\n<ul>\n<li>EA-11593: Update dead faster start up link<\/li>\n<li>EA-11728: Update ea-tomcat85 from v8.5.93 to v8.5.94\n<ul>\n<li>Request smuggling CVE-2023-45648<\/li>\n<li>Denial of Service CVE-2023-44487<\/li>\n<li>Information Disclosure CVE-2023-42795<\/li>\n<li>Denial of Service CVE-2023-42794<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-nghttp2<\/strong>\n<ul>\n<li>EA-11729: Update ea-nghttp2 from v1.56.0 to v1.57.0\n<ul>\n<li>CVE-2023-44487 \u2013 The HTTP\/2 protocol allows a denial of service (server resource consumption)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>SUMMARY<\/strong><\/p>\n<p>cPanel, L.L.C. has updated packages for EasyApache 4 with libcurl version 8.4.0, ea-tomcat version 8.5.94, and ea-nghttp2 version 1.57.0. This release addresses vulnerabilities related to CVE-2023-38545, CVE-2023-38546, CVE-2023-45648, CVE-2023-44487, CVE-2023-42795, CVE-2023-42794, and CVE-2023-44487. We strongly encourage all libcurl users to upgrade to version 8.4.0, all ea-tomcat85 users to upgrade to version 8.5.94, and all ea-nghttp2 users to update to version 1.57.0.<\/p>\n<p><strong>AFFECTED VERSIONS<br \/><\/strong>All versions of libcurl from 7.9.1 (CVE-2023-38546) and 7.69.0 (CVE-2023-38545) through 8.3.0.<br \/>All versions of ea-tomcat from 8.5.0 through 8.5.93.<br \/>All versions of ea-nghttp2 through 1.56.0.<\/p>\n<p><strong>SECURITY RATING<br \/><\/strong>The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:<\/p>\n<p>NIST has not yet rated these vulnerabilities. The vendor ratings are listed below:<\/p>\n<p><strong>libcurl:<br \/><\/strong>CVE-2023-38546 \u2013 Low<br \/>CVE-2023-38545 \u2013 High<\/p>\n<p><strong>ea-tomcat:<br \/><\/strong>CVE-2023-45648 \u2013 Important<br \/>CVE-2023-44487 \u2013 Important<br \/>CVE-2023-42795 \u2013 Important<br \/>CVE-2023-42794 \u2013 Low<\/p>\n<p><strong>ea-nghttp2:<br \/><\/strong>CVE-2023-44487 \u2013 N\/A<\/p>\n<p><strong>SOLUTION<br \/><\/strong>cPanel, L.L.C. has released updated packages for EasyApache 4 on October 12, 2023, with libcurl version 8.4.0, ea-tomcat85 version 8.5.94, and ea-nghttps2 version 1.57.0. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM\u2019s Run System Update interface.<\/p>\n<p><strong>REFERENCES<\/strong><br \/><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-38546 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-38546<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-38545 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-38545<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-45648 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-45648<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-44487 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-44487<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-42795 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-42795<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-42794 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-42794<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-44487 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-44487<br \/><\/a><a href=\"https:\/\/curl.se\/docs\/vuln-8.3.0.html \" target=\"_blank\" rel=\"noopener\">https:\/\/curl.se\/docs\/vuln-8.3.0.html<br \/><\/a><a href=\"https:\/\/github.com\/nghttp2\/nghttp2\/security\/advisories\/GHSA-vx74-f528-fxqg \" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/nghttp2\/nghttp2\/security\/advisories\/GHSA-vx74-f528-fxqg<br \/><\/a><a href=\"https:\/\/tomcat.apache.org\/security-8.html#Fixed_in_Apache_Tomcat_8.5.94\" target=\"_blank\" rel=\"noopener\">https:\/\/tomcat.apache.org\/security-8.html#Fixed_in_Apache_Tomcat_8.5.94<\/a><\/p>\n<p><a href=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2023\/10\/EA4-2023-10-12-CVE.signed.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/news.cpanel.com\/wp-content\/uploads\/2023\/10\/EA4-2023-10-12-CVE.signed.txt<\/a><\/p>\n<p>Information about all releases this year can be found in the&nbsp;<a href=\"https:\/\/docs.cpanel.net\/changelogs\/easyapache-4-change-log-2023\/\" target=\"_blank\" rel=\"noopener\">2023 EasyApache 4 Changelog<\/a>&nbsp;and&nbsp;the&nbsp;<a href=\"https:\/\/docs.cpanel.net\/ea4\/information\/easyapache-4-release-notes\/\" target=\"_blank\" rel=\"noopener\">EasyApache 4 Release Notes<\/a>. You can also sign up for our&nbsp;<a href=\"http:\/\/mail.cpanel.net\/mailman\/listinfo\/ea4development-announce_cpanel.net\" target=\"_blank\" rel=\"noopener\">EasyApache Development<\/a>&nbsp;and&nbsp;<a href=\"http:\/\/mail.cpanel.net\/mailman\/listinfo\/ea4production-announce_cpanel.net\" target=\"_blank\" rel=\"noopener\">EasyApache Production<\/a>&nbsp;mailing&nbsp;lists to see when updates are pushed for our RPMs, letting you know ahead of time what will be updated in each EasyApache release.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>cPanel, L.L.C. has released a security update for&nbsp;EasyApache 4!&nbsp; Take a look at some highlights below, and then join us on&nbsp;the&nbsp;cPanel Community Forums,&nbsp;Discord,&nbsp;or&nbsp;Reddit&nbsp;to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels. ea-apache2 EA-11729: Rebuild mod_http2 against updated ea-nghttp2 for CVE-2023-44487 &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-49445","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/49445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=49445"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/49445\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=49445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=49445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=49445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}