Security Advisories From cPanel

[itwasntme]

Do you have automatic updates turned off in WHM so that you can handle updates manually and thus know when cPanel is updating?

I do, and I realized when I was updating cPanel today in response to a security advisory sent out by cPanel that there may be others with automatic updates off who don't know about the cPanel News Mailing List. It sends you notices about security issues and prompts you to update cPanel when necessary. If you're interested, you can sign up for the cPanel News Mailing List here.

Here's the most recent advisory regarding a vulnerability in Horde--the second this week--that came out via the News mailing list today as a sample of what you get:

Quote:

SECURITY ADVISORY: Official Horde Update to 3.1.7 and upgrades to
cPanel's PHP application security model

available in cPanel builds 11.18.3 and 11.19.3.

----------------------

Summary:
The Horde webmail application framework has been updated to 3.1.7.
Upgrades have
been made in cPanel's PHP application security model.

Description:
The Horde webmail application framework has been updated to 3.1.7 for
the official
fix to the previously announced arbitrary file inclusion
vulnerability. cPanel has
also made upgrades in cPanel's PHP application security model for Horde,
PHPMyAdmin, and PHPPGAdmin. These upgrades have been made to minimize
or mitigate
undiscovered vulnerabilities in these third-party applications while
running within
a cPanel installation.

Fix Details:
It is recommended that all cPanel servers running Horde be updated to
either
cPanel 11.18.3 or cPanel 11.19.3. If you do not wish to update
cPanel, it is
strongly recommended that you keep Horde disabled until these updates
have been
applied. You can disable horde on your cPanel system by unchecking
WHM ->
Server Configuration -> Tweak Settings -> Mail -> Horde Webmail, and
saving with
the new settings.

You can check your current version of cPanel by executing:
/usr/local/cpanel/cpanel -V

Updates can be run via the following command executed from a root shell:
/scripts/upcp

Updates can be run through WHM as well. Login to WHM, then select
cPanel -> Upgrade
to Latest Version -> Click to Upgrade.

References:
[announce] Horde 3.1.7 (final)

Credits:
cPanel would also like to thank Jeff Petersen and Rob Brown for the
additional
security information provided with regards to this update.

I hope it helps someone else, too.

[Shazam]

A cautionary note: You can choose which update branch to use, and I recommend at least RELEASE or STABLE; the latter if you want to be very, very careful.

CURRENT and lesser releases are essentially public betas, apt to have bugs and they can bring your site down. You don't want to deploy them for sites that you depend on to make a buck.

[itwasntme]

Thanks, Shazam. Yeah, I have been sticking with the RELEASE and so far, so good.

[Shazam]

Quote:

Originally Posted by itwasntme

Thanks, Shazam. Yeah, I have been sticking with the RELEASE and so far, so good.

Yeah, when I tried CURRENT once because I wanted a newer MySQL version (now they're all in sync), I had frequent HTTP crashes and it all went away when I returned to RELEASE. Word to the wise. RELEASE is usually pretty good, though.

[roger]

I was told the only thing I should be doing to update is use SSH and /scripts/upcp
No reference to current, stable, etc.

[Shazam]

Quote:

Originally Posted by roger

I was told the only thing I should be doing to update is use SSH and /scripts/upcp
No reference to current, stable, etc.

But that's not what the cPanel advisory says.

[lnxcode]

Yes, HostGator found this one... when about 100 people emailed them (according to what cPanel said)... so you do want to update as soon as possible to make sure you dont have this problem