All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security Update for cPanel & WHM Versions 11.38, 11.36, 11.34 and 11.32
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
cPanel, Inc. has published a security update for cPanel & WHM versions 11.38, 11.36, 11.34, and 11.32. This update resolves an issue with unchecked reseller privileges. We recommend all customers update to the latest build of each version as soon as possible.
The cPanel Security Team has assigned a rating of Moderate to the vulnerability. Information on security ratings is available at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecurityLevels
Using a handcrafted URL, a malicious reseller could cause WHM to overwrite files in root's .ssh directory with a randomly generated private key. This could result in a denial of service attack if the key is being used.
If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.
Releases
The following versions of cPanel & WHM address all known vulnerabilities:
- 11.38.0.5
- 11.36.1.6
- 11.34.1.14
- 11.32.6.5
The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.
Acknowledgements
cPanel, Inc. would like to thank Patrick at Synhosting for reporting the vulnerability.
TL;DR - /scripts/upcp --force ASAP - especially if you have resellers on your servers.
Comments
@Kris Thanks, will force update now.
Thanks for that, all done.
If you don't sell reseller hosting do they advise upgrade anyway?
Yes....
@shovenose
Why would you not upgrade if it was a security risk?
Why didn't I get this email? Started updating as soon as I saw this thread.
@Hassan They have a lot of customers and the mailing list takes a while to go through.
did you sign up for alerts?
Just did, thanks.
Yup that makes sense, thanks.
I would also recommend signing up for your OS's security alerts also. For Debian's mailing list, i'm too lazy to link the others.
But you signed up for LET. All good.
In before the Ubuntu kids show their Debian ignorance