{"id":54661,"date":"2024-02-22T01:57:56","date_gmt":"2024-02-21T22:57:56","guid":{"rendered":"https:\/\/news.cpanel.com\/?p=62793"},"modified":"2024-02-22T01:57:56","modified_gmt":"2024-02-21T22:57:56","slug":"easyapache4-2024-02-21-maintenance-and-security-release","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/easyapache4-2024-02-21-maintenance-and-security-release\/","title":{"rendered":"EasyApache4 2024-02-21 Maintenance and Security Release"},"content":{"rendered":"<p>cPanel, L.L.C. has released an update for&nbsp;<a href=\"https:\/\/docs.cpanel.net\/ea4\/basics\/introduction-to-easyapache-4\/\" target=\"_blank\" rel=\"noopener\">EasyApache 4!<\/a>&nbsp; Take a look at some highlights below, and then join us on&nbsp;the&nbsp;<a href=\"https:\/\/forums.cpanel.net\/forums\/cpanel-announcements.133\/\" target=\"_blank\" rel=\"noopener\">cPanel Community Forums<\/a>,&nbsp;<a href=\"https:\/\/go.cpanel.net\/discord\" target=\"_blank\" rel=\"noopener\">Discord<\/a>,&nbsp;or&nbsp;<a href=\"https:\/\/reddit.com\/r\/cpanel\/\" target=\"_blank\" rel=\"noopener\">Reddit<\/a>&nbsp;to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.<\/p>\n<ul>\n<li><strong>ea-cpanel-tools<\/strong>\n<ul>\n<li>ZC-11501: Allow compatibility between profiles from RHEL to DEB and vice versa<\/li>\n<li>ZC-11627: Update manifest under canonical write so its ordered correctly<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-nginx<\/strong>\n<ul>\n<li>EA-11973: Update ea-nginx from v1.25.3 to v1.25.4<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-nginx-njs<\/strong><\/li>\n<li><strong>ea-nginx-echo<\/strong><\/li>\n<li><strong>ea-nginx-headers-more<\/strong><\/li>\n<li><strong>ea-nginx-passenger<\/strong><\/li>\n<li><strong>ea-modsec30-connector-nginx<\/strong>\n<ul>\n<li>EA-11973: Build against ea-nginx version v1.25.4<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-php82<\/strong><\/li>\n<li><strong>ea-php82-meta<\/strong>\n<ul>\n<li>EA-11977: Update ea-php82 from v8.2.15 to v8.2.16<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-php83<\/strong><\/li>\n<li><strong>ea-php83-meta<\/strong>\n<ul>\n<li>EA-11978: Update ea-php83 from v8.3.2 to v8.3.3<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-nodejs20<\/strong>\n<ul>\n<li>EA-11975: Update ea-nodejs20 from v20.11.0 to v20.11.1\n<ul>\n<li>CVE-2024-21892 \u2013 Code injection and privilege escalation through Linux capabilities- (High)<\/li>\n<li>CVE-2024-22019 \u2013 http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)<\/li>\n<li>CVE-2024-21896 \u2013 Path traversal by monkey-patching Buffer internals- (High)<\/li>\n<li>CVE-2024-22017 \u2013 setuid() does not drop all privileges due to io_uring \u2013 (High)<\/li>\n<li>CVE-2023-46809 \u2013 Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) \u2013 (Medium)<\/li>\n<li>CVE-2024-21891 \u2013 Multiple permission model bypasses due to improper path traversal sequence sanitization \u2013 (Medium)<\/li>\n<li>CVE-2024-21890 \u2013 Improper handling of wildcards in \u2013allow-fs-read and \u2013allow-fs-write (Medium)<\/li>\n<li>CVE-2024-22025 \u2013 Denial of Service by resource exhaustion in fetch() brotli decoding \u2013 (Medium)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-nodejs18<\/strong>\n<ul>\n<li>EA-11974: Update ea-nodejs18 from v18.19.0 to v18.19.1\n<ul>\n<li>CVE-2024-21892 \u2013 Code injection and privilege escalation through Linux capabilities- (High)<\/li>\n<li>CVE-2024-22019 \u2013 http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)<\/li>\n<li>CVE-2023-46809 \u2013 Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) \u2013 (Medium)<\/li>\n<li>CVE-2024-22025 \u2013 Denial of Service by resource exhaustion in fetch() brotli decoding \u2013 (Medium)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>ea-tomcat85<\/strong>\n<ul>\n<li>EA-11979: Update ea-tomcat85 from v8.5.98 to v8.5.99<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>SUMMARY<\/strong><\/p>\n<p>cPanel, L.L.C. has updated packages for EasyApache 4 with NodeJS versions 20.11.1 and 1819.1. This release addresses vulnerabilities related to CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017, CVE-2023-46809, CVE-2024-21891, CVE-2024-21890, and CVE-2024-22025. We strongly encourage all NodeJS 20 users to upgrade to version 20.11.1 and all NodeJS 18 users to upgrade to version 18.19.1.<\/p>\n<p><strong>AFFECTED VERSIONS<br \/><\/strong>All versions of NodeJS 20 through 20.11.0.<br \/>All versions of NodeJS 18 through 18.19.0.<\/p>\n<p><strong>SECURITY RATING<br \/><\/strong>The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:<\/p>\n<p>CVE-2024-21892 \u2013 MEDIUM<br \/>NodeJS 18.19.1<br \/>Fixed vulnerability related to CVE-2024-21892.<\/p>\n<p>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-21892.<\/p>\n<p>CVE-2024-22019 \u2013 MEDIUM<br \/>NodeJS 18.19.1<br \/>Fixed vulnerability related to CVE-2024-22019.<\/p>\n<p>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-22019.<\/p>\n<p>CVE-2024-21896 \u2013 MEDIUM<br \/>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-21896.<\/p>\n<p>CVE-2024-22017 \u2013 MEDIUM<br \/>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-22017.<\/p>\n<p>CVE-2023-46809 \u2013 MEDIUM<br \/>NodeJS 18.19.1<br \/>Fixed vulnerability related to CVE-2023-46809.<\/p>\n<p>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2023-46809.<\/p>\n<p>CVE-2024-21891 \u2013 MEDIUM<br \/>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-21891.<\/p>\n<p>CVE-2024-21890 \u2013 MEDIUM<br \/>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-21890.<\/p>\n<p>CVE-2024-22025 \u2013 MEDIUM<br \/>NodeJS 18.19.1<br \/>Fixed vulnerability related to CVE-2024-22025.<\/p>\n<p>NodeJS 20.11.1<br \/>Fixed vulnerability related to CVE-2024-22025.<\/p>\n<p><strong>SOLUTION<br \/><\/strong>cPanel, L.L.C. has released updated packages for EasyApache 4 on February 21, 2024, with NodeJS versions 18.19.1 and 20.11.1. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM\u2019s Run System Update interface.<\/p>\n<p><strong>REFERENCES<\/strong><br \/><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-22019 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-22019<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21896 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21896<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-22017 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-22017<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-46809 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2023-46809<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21891 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21891<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21892 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21892<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21890 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21890<br \/><\/a><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-22025 \" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2024-22025<br \/><\/a><a href=\"https:\/\/github.com\/nodejs\/node\/blob\/main\/doc\/changelogs\/CHANGELOG_V20.md \" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/nodejs\/node\/blob\/main\/doc\/changelogs\/CHANGELOG_V20.md<br \/><\/a><a href=\"https:\/\/github.com\/nodejs\/node\/blob\/main\/doc\/changelogs\/CHANGELOG_V18.md\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/nodejs\/node\/blob\/main\/doc\/changelogs\/CHANGELOG_V18.md<\/a><\/p>\n<p>Information about all releases this year can be found in the&nbsp;<a href=\"https:\/\/docs.cpanel.net\/changelogs\/easyapache-4-change-log-2024\/\" target=\"_blank\" rel=\"noopener\">2024 EasyApache 4 Changelog&nbsp;<\/a>and&nbsp;the&nbsp;<a href=\"https:\/\/docs.cpanel.net\/ea4\/information\/easyapache-4-release-notes\/\" target=\"_blank\" rel=\"noopener\">EasyApache 4 Release Notes<\/a>.<\/p>\n<p><a href=\"https:\/\/news.cpanel.com\/wp-content\/uploads\/2024\/02\/EA4-2024-2-21-CVE.signed.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/news.cpanel.com\/wp-content\/uploads\/2024\/02\/EA4-2024-2-21-CVE.signed.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>cPanel, L.L.C. has released an update for&nbsp;EasyApache 4!&nbsp; Take a look at some highlights below, and then join us on&nbsp;the&nbsp;cPanel Community Forums,&nbsp;Discord,&nbsp;or&nbsp;Reddit&nbsp;to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels. ea-cpanel-tools ZC-11501: Allow compatibility between profiles from RHEL to DEB &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"class_list":["post-54661","post","type-post","status-publish","format-standard","hentry","category-cpanel-news"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/54661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=54661"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/54661\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=54661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=54661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=54661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}