EasyApache 3.26.9 Released

SUMMARY
cPanel, Inc. has released EasyApache 3.26.9 with PHP versions 5.4.34 and 5.5.18 and libxml2 version 2.9.2. This release addresses vulnerabilities related to CVE-2014-3669, CVE-2014-3670, CVE-2014-3668, CVE-2014-3660, and CVE-2014-0191 by fixing bugs in the Core, Exif, and XMLRPC modules and in libxml2. We strongly encourage all PHP 5.4 users to upgrade to PHP version 5.4.34 and all PHP 5.5 users to upgrade to version 5.5.18.

AFFECTED VERSIONS
All versions of PHP 5.4 through version 5.4.33 and PHP 5.5 through version 5.5.17.
All versions of libxml2 before EasyApache version 3.26.9.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-3669 – MEDIUM

PHP 5.4.34
Fixed bug in the Core module related to CVE-2014-3669

PHP 5.5.18
Fixed bug in the Code module related to CVE-2014-3669

CVE-2014-3670 – MEDIUM

PHP 5.4.34
Fixed bug in Exif module related to CVE-2014-3670

PHP 5.5.18
Fixed bug in Exif module related to CVE-2014-3670

CVE-2014-3668 – MEDIUM

PHP 5.4.34
Fixed bug in XMLRPC related to CVE-2014-3668

PHP 5.5.18
Fixed bug in XMLRPC related to CVE-2014-3668

CVE-2014-3660 – MEDIUM

libxml2
Fixed bug related to CVE-2014-3660

CVE-2014-0191 – MEDIUM

libxml2
Fixed bug in the libxml2 library related to CVE-2014-0191.

SOLUTION
cPanel, Inc. has released EasyApache 3.26.9 with updated versions of PHP 5.4.34, PHP 5.5.18 and libxml2 2.9.2 to correct these issues. Unless you have disabled EasyApache updates, EasyApache updates automatically. Run EasyApache to rebuild your profile with the latest version of PHP and libxml2.

REFERENCES
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3669
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3670
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3668
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3660
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0191
http://php.net/ChangeLog-5.php
http://xmlsoft.org/news.html

cPanel & WHM 11.46 Now in CURRENT Tier

11.46 Now in CURRENT Tier

10/22/2014
Houston, TX –

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.46, which is now available in the CURRENT tier.

cPanel & WHM 11.46 offers localization and support for 29 languages, Paper Lantern branding, ModSecurity tools, and more.

Localization & Support for 29 Languages
As part of version 11.46, cPanel & WHM makes it possible to fully translate the user interface and increases the number and quality of languages provided. With the ability to localize and choose from 29 updated languages, cPanel & WHM offers unprecedented access on an international scale.

Paper Lantern Branding
cPanel & WHM 11.46 includes several options for customizing and branding the Paper Lantern theme.

ModSecurity Tools
New management tools, available in cPanel & WHM 11.46, simplify use of the ModSecurity application firewall.

Detailed information on all cPanel & WHM 11.46 features can be found at cPanel Documentation. An overview of the latest features and benefits is also available at cPanel Releases.

Hackers Exploit Shellshock Vulnerability to Gain Access to Yahoo Servers

Romanian hackers have exploited the Shellshock vulnerability to gain access to Yahoo servers, according to Jonathan Hall of security consulting company Future South Technologies. Hall announced the hack of Yahoo, as well as Lycos and WinZip, on the Future South blog after informing the companies and the FBI.

According to a series of blog posts, Hall discovered the vulnerabilities on Saturday night, and watched overnight as the exploit expanded. Hall claims he began attempting to alert Yahoo before 5 am CST, but that it, like the other two companies, was slow to respond.

WinZip confirmed to Hall that they were hacked, while Lycos initially denied that it had been breached, and subsequently admitted the need for further testing. Yahoo confirmed that it had been breached midday on Sunday, and on Monday Yahoo CISO Alex Stamos posted a response to the incident to Hacker News.

“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock,” Stamos said. “Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”

Stamos also responded to allegations by Hall that Yahoo had been slow to react to the breach, saying that the affected systems had been isolated and the investigation begun within an hour of the email Hall addressed to CEO Marissa Mayer.

Hall in turn responded to Stamos, at first accusing him of giving misleading information, and then trashing Stamos’ explanation for how the breach really occurred.

“I’m not saying for a fact that more than what they are saying was compromised was,” said Hall. “But what I am saying for a fact is that there’s no way in hell they can be certain when they can’t even honestly provide a technical explanation of how the breach occurred in the first place.”

The Independent notes Yahoo’s reputation for under appreciating bug bounty hunters. Yahoo gave a $25 voucher to an ethical hacker who disclosed three bugs in Yahoo servers last year.

by Chris Burt on October 7, 2014