Administrator

SUMMARY The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in the OpenSSL module and a compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 or PHP 5.4.19. cPanel has released EasyApache 3.22.7 with PHP 5.5.3 and 5.4.19 to address this issue. AFFECTED VERSIONS All versions of PHP5.5 before 5.5.3 and PHP5.4 before 5.4.19. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2013-4248 – MEDIUM PHP 5.5.3 Fixed UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248. PHP 5.4.19 Fixed UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248. SOLUTION cPanel, Inc. has released EasyApache 3.22.7 with updated versions of PHP5.4 and PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. For the PGP signed message, please go here. View the full article

Further information on this issue, this was due to a major PDU outage, (power distribution unit) while this outage didn't effect our area of the DC, it did effect the primary and secondary internet providers we are using. So while you can try to prepare for anything and have fail safes in place, this goes to prove nothing is 100%. We will still take pride in our 99.98% however! If you have any questions please let us know and we do apologize for any inconvenience this may have caused as well. Thank you

Hello, this morning there has been a major network outage that effected some customers, we are sorry for any trouble and will provide full details as soon as they are available. All services are up and running currently. Thank you This post has been promoted to an article

SUMMARY The PHP development team has announced the immediate availability of PHP 5.5.2. This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.6 with PHP 5.5.2 to address this issue. AFFECTED VERSIONS All versions of PHP5 before 5.5.2 SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings of these CVEs: CVE-2011-4718 – MEDIUM CVE-2013-4248 – MEDIUM PHP 5.5.2 CVE-2011-4718: A session fixation vulnerability in the Sessions subsystem in PHP, before 5.5.2, allows remote attackers to hijack web sessions by specifying a session ID. CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x (before 5.5.2) does not properly handle a null character in a domain name in the Subject Alternative Name field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificated issued by a legitimate Certification Authority. This issue is related to CVE-2009-2408. SOLUTION cPanel, Inc. has released EasyApache 3.22.6 with an updated version of PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718 http://www.php.net/ChangeLog-5.php#5.5.2 For the PGP signed message, please go here. View the full article

SUMMARY The PHP development team announces the immediate availability of PHP 5.4.18. About 30 bugs were fixed, including security issues CVE-2013-4113 and CVE-2013-4248. All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.5 with this updated version of PHP 5.4.18 to address this issue. AFFECTED VERSIONS All versions of PHP5 before 5.4.18 SECURITY RATING The National Vulnerability Database (NIST) has given the following severity rating of these CVEs: CVE-2013-4113 — MEDIUM CVE-2013-4248 — MEDIUM PHP 5.4.18 CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27 (also 5.4.x) does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibility have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a “character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attacks to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. SOLUTION cPanel, Inc. has released EasyApache 3.22.5 with updated version PHP5.4 to correct these issues. To update, please rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea). Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4113 http://www.php.net/ChangeLog-5.php#5.4.18 http://php.net/archive/2013.php#id2013-08-15-1 For the PGP signed message, please go here. View the full article

Piracy is something that all software companies face and IPS is no exception. Our losses due to credit card fraud and software piracy are significant and to minimize passing along costs to customers, we are seeking to expand our piracy department and take a harder stance against piracy and pursue those who engage in it. The position entails: - Identifying customers, using internal tools, that have inactive licenses and are using later versions of the software than their license allows and report to customer service for license termination. - Identifying customers, using internal tools, that have shared IPS products or marketplace purchases with illegal download sites and report to customer service for license termination. - Following up on usage piracy complaints. - Vigorously pursuing distribution hubs. - Working with web hosts, ISPs and law enforcement. To qualify you MUST: - Be at least 18 years old (for legal reasons, no exceptions to this policy can be made.) - Have excellent written communication skills. English is a must. - Be familiar with identifying the owner and host of a website (i.e.: Using WHOIS and other similar tools.) - Be familiar with the DMCA and associated procedures. - Reside in the United States. If you qualify and are interested, please contact hr@invisionpower.com for more information. Thank you for your interest! View the full article View the full article

One of the things we wanted to focus on for IPS Social Suite 4.0 right from the beginning was providing better support for sites which do not use English or use multiple languages (or, as it was scribbled on my whiteboard, "++ i18n/L19n"). In this blog entry I'm going to cover some of those changes and new features. Translatable Everything Currently when you create a forum, user group, custom profile field, etc. you have to give it a title and can only do this in one language. If you have more that one language installed, you might want to provide different titles for different languages. In 4.0 you can do exactly that - if you have only one language installed, these fields will continue to show as normal text boxes - however, if you have more than one installed you'll see several text boxes like this: Visual Language Editor One feature that has been really popular in IP.Board is the Visual Skin Editor - a tool which allows you to browse your site, and click on elements to bring up a colour selector to change it. What if we could take this idea and apply it to translating as well? Allowing you to click on any word or phrase on your site and translate it there immediately. In 4.0, you can. Easier Language Management In addition to the visual translation we've also made several improvements to the traditional translation method: As you search for a language string, results appear as you type. Editing a language string saves immediately without needing to click a save button. Filter tabs can show you words/phrases which have not yet been translated or the translation is out of date (meaning we've changed the default English value for the word/phrase since it was translated). We've also made importing/exporting much faster and more reliable - no matter how large your language is (it will grow as you add more applications of course) there is now no risk of hitting an error importing/exporting (for those interested in the technical side of how this is achieved, see this blog entry). An exported language pack will also now maintain information on the version of each application it was exported from, so that the filter which shows outdated language strings is always accurate. Automatic Language Detection Let's say you have Spanish and French languages installed on your site - up until now, you'd have to choose one default language, and users who want the other would have to manually choose it (which can be extremely difficult to find how to do when you're browsing a site in a foreign language). In 4.0, we automatically examine the information that the user's browser sends (which includes their preferred language) to choose the best one out of what's available, if that user hasn't already set an explicit preference. Pluralisation In English, pluralisation is very simple - for most nouns, you just append "s" on the end, with some variation for certain words. This however, isn't the case in all languages - for example, I was speaking with the owner of a site in Slovak recently who was telling me that the word "records" changes depending on the number of records there are - for 2 records, it's "2 články", but for 5 records it's "5 článkov". Currently, most language strings only have a singular and plural form (as is all that's needed in English) - meaning having the site show "2 články"/"5 článkov" was impossible. In 4.0, we've introduced some really basic logic into language strings to accommodate this. Rather than having, for example, two language strings with the singular and the plural, there is now one with a value like this: In the default language, this language string is:

cPanel & WHM 11.32 reaches End of Life in August, 2013. That means there is less than one month left in the life cycle. In accordance with our [End of Life Policy](“http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/LongTermSupport“) cPanel & WHM 11.32 will continue functioning on servers after reaching End of Life. No further updates, including security fixes, or installations will be provided for 11.32 after the end of life date. cPanel & WHM 11.32 is the last version to support the following: * CentOS 4 * RHEL 4 * MySQL 4.0 * MySQL 4.1 All customers currently using cPanel & WHM 11.32 are advised to begin planning the upgrade to cPanel & WHM 11.36 (EOL Date: March 2014). If you desire assistance with your migration plans, please contact our technical support team at [https://tickets.cpanel.net/submit/](“https://tickets.cpanel.net/submit/“). Our professional staff will help with recommendations, migration assistance and more. For the PGP signed message, please go here. View the full article

We have a few updates to our services to share with you. Community in the Cloud For over 11 years IPS has provided hosting services for clients that want a turn-key approach to their online community. Over time we have become more and more focused on community hosting solutions so it seemed like a good time to drop the older "hosting" term and adopt a new name for our service: Community in the Cloud. Granted it's the buzzword of the day but we were in the cloud before the cloud was a term :smile:. Right now it's all that you had before but presented in a much easier to understand format. Check out our new information page: http://www.invisionpower.com/cloud-pricing This name and presentation change is just step one. We will soon be increasing our storage quotas and have some other great changes on the way! New Support Package We often get clients who are looking for a higher level of support beyond just tickets. They want training, schedule upgrade service, consultations, and more. Of course offering that level of support is intensive and in the past we have always custom-quoted such services. Now to streamline we we have created a new Premium Support package that includes: Implementation Scheduled installation time Initial training & consultation by phone or live chat Post-deployment best practices training Custom migration from other platforms* Custom skin design* Custom single sign on (SSO)* Support Same business day ticket response Scheduled upgrade times Custom skin upgrades between versions* Security updates applied before public release Monthly Maintenance Logs checked for signs of problems Advise and schedule if upgrades are available Database maintenance Settings reviewed for optimal performance Best practices reviews * Custom services may incur additional fees The new Premium Support package is $500 every 6 months and is available for purchase or upgrade today. If you have any questions feel free to email sales@invisionpower.com and we will be happy to help. Transfer Promotion If you are interested in moving to IPS Community in the Cloud we are offering a promotion that should make now the best time to make the switch. From now until 1 September 2013 we will offer free transfers and free conversions. This means if you are already using IPS Community Suite on your own servers but want to switch to the CiC we will move your data for you. It also means that if you are using a different community software provider and are ready to upgrade to CiC we will both transfer your data and convert it using one of our pre-made converters. View the full article View the full article

Security Update: Potential vulnerability in third-party Minify library A potential security vulnerability with Minify has been discovered that only affects some specific server environments. Minify is a third party app that combines multiple CSS and javascript files to help speed up the rendering of IP.Board in a browser. This issue may affect your site even if you are not making use of Minify in IP.Board. Although the vulnerability is caused by the Minify application, in the interests of our customers we felt it best to patch the issue. We have updated the zip file available from your client area and are including a manual patch in this announcement. Additionally, IPS reported the issue to the Minify developers who have released their own similar patch today in the form of a new release (version 2.1.7): https://groups.google.com/forum/#!msg/minify/cpN-ncKPFZE/kwYVpLMkfDwJ This issue only affects IP.Board 3.4.0 - 3.4.5. Installing the patch Simply download the attached zip file and once extracted, upload /public/min/config.php to your server replacing the one on the server. minify_patch_07_13.zip 3.68KB 618 downloads Alternatively, you may follow the instructions made available by the Minify developers in their release announcement. While our patch was developed in-house prior to the release of Minify 2.1.7, either patch will protect your board. IPS Hosting Clients If you are an IPS Hosting client you do not need to be concerned with this security issue. Our servers are not vulnerable to this specific exploit. View the full article

SUMMARY The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s. Apache HTTP Server 2.2.25 CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. AFFECTED VERSIONS All versions of Apache 2.2 before 2.2.25. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2013-1896 – MEDIUM CVE-2013-1862 – MEDIUM Apache HTTP Server 2.4.6 CVE-2013-2249 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. AFFECTED VERSIONS All versions of Apache 2.4 before 2.4.6. SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs: CVE-2013-2249 – HIGH CVE-2013-1896 – MEDIUM SOLUTION cPanel, Inc. has released EasyApache 3.20.6 with updated versions of Apache 2.2 and 2.4 to correct these issues. To update, please rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea). Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually. REFERENCES CVE-2013-1862 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862) CVE-2013-2249 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249) CVE-2013-1896 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896) Apache 2.2.25 Announcement (http://www.apache.org/dist/httpd/Announcement2.2.html) Apache 2.4.6 Announcement (http://www.apache.org/dist/httpd/Announcement2.4.html) For the PGP Signed message, please go here. View the full article

If you have a database that was installed as innodb or was perhaps converted to innodb, it won't have the full text index on the tables after converting it back to Myisam. After converting, run the following queries to add back the stock full text indexs ALTER TABLE posts ADD FULLTEXT KEY post (post);ALTER TABLE topics ADD FULLTEXT KEY title (title);ALTER TABLE forums_archive_posts ADD FULLTEXT KEY archive_content (archive_content);ALTER TABLE message_posts ADD FULLTEXT KEY msg_post (msg_post);ALTER TABLE message_topics ADD FULLTEXT KEY mt_title (mt_title);ALTER TABLE blog_entries ADD FULLTEXT KEY entry_name (entry_name);ALTER TABLE cal_events ADD FULLTEXT (event_content);ALTER TABLE cal_events ADD FULLTEXT (event_title);ALTER TABLE downloads_files ADD FULLTEXT(file_desc);ALTER TABLE downloads_files ADD FULLTEXT(file_name);ALTER TABLE nexus_packages ADD FULLTEXT KEY p_name (p_name);ALTER TABLE nexus_packages ADD FULLTEXT KEY p_desc (p_desc);ALTER TABLE nexus_support_requests ADD FULLTEXT KEY r_title (r_title);ALTER TABLE nexus_support_replies ADD FULLTEXT KEY reply_post (reply_post);

SUMMARY Mod_Security was found to have a Remote Null Pointer Dereference vulnerability that could cause it to crash. SECURITY RATING The cPanel Security Team has rated this update has having moderate security impact. Information on security ratings is available at: http://go.cpanel.net/securitylevels. DETAIL CVE-2013-2765 states: “When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL.” AFFECTED VERSIONS All versions of mod_security before 2.7.4. SOLUTION cPanel, Inc has released EasyApache 3.20.4 which includes mod_security version 2.7.4 to correct this issue. To update, rebuild your EasyApache profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea) RELEASES EasyApache v3.20.4 addresses the mod_security vulnerability. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that EasyApache updates must be done manually. REFERENCES CVE-2013-2765 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765) Red Hat Security Response Team (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765) Mod_Security ChangeLog (https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES) For the PGP signed message, please go here. View the full article

The following disclosure covers the TSR-2013-008, the Targeted Security Release published on July 15th, 2013. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here: http://go.cpanel.net/securitylevels Case 71121 Summary The Squirrelmail Webmail session file contained plain text passwords. Security Rating cPanel has assigned a Security Level of Minor to this vulnerability. Description cPanel includes the SquirrelMail Webmail suite as one option for Webmail accounts to access their email using a web browser. The included copy of SquirrelMail stored the password used to authenticate in a cleartext format in its session files. The session files are stored in the /tmp/ directory with with 0600 (rw——-) permissions, limiting access to the plaintext passwords to the system user account. Credits This issue was discovered by Alex Kwiecinski of the Liquid Web Security Team. Solution This issue is resolved in the following builds: * 11.39.0.5 & Greater * 11.38.1.13 & Greater * 11.36.1.15 & Greater * 11.34.1.25 & Greater * 11.32.6.17 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 72157 Summary Arbitrary File Modification vulnerability when suspending an account. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description cPanel & WHM includes functionality to automatically suspend cPanel accounts that consume more than their allotted limits of disk and bandwidth resources. The account suspension process makes several changes inside the suspended user account’s home directory. It was discovered that manipulations of virtual account password files that are stored inside the user’s home directory were performed with the effective permissions of the root user and without sufficient protections against tampering. This allowed a local attacker whose account was being suspended to manipulate sensitive files outside of their home directory. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: * 11.39.0.5 & Greater * 11.38.1.13 & Greater * 11.36.1.15 & Greater * 11.34.1.25 & Greater * 11.32.6.17 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 71573 Summary A reseller account with clustering privileges can modify any DNS zone on the system. Security Rating cPanel has assigned a Security Level of Important to this vulnerability Description cPanel & WHM includes a DNS clustering system called DNSAdmin that allows DNS changes to propagate beyond the local system. This system functions through specific URLs inside WHM that are accessible only to reseller accounts with the “clustering” privilege. The URLs in cpsrvd that handle DNSAdmin cluster requests were not enforcing local zone ownership correctly, allowing a malicious reseller with the clustering privilege to send updates for DNS zones that did not belong to his accounts. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: * 11.39.0.5 & Greater * 11.38.1.13 & Greater * 11.36.1.15 & Greater * 11.34.1.25 & Greater * 11.32.6.17 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 71625 Summary A reseller account with park-dns privileges can take control of any domain on the system. Security Rating cPanel has assigned a Security Level of Important to this vulnerability Description WHM allows resellers with the “park-dns” ACL to assign ownership of a parked domain from one cPanel account to another. This functionality was not checking that the domain being reassigned belonged to an account the reseller controlled. A malicious reseller account with the “park-dns” ACL could use this flaw to take control of any other domains on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: * 11.39.0.5 & Greater * 11.38.1.13 & Greater * 11.36.1.15 & Greater * 11.34.1.25 & Greater * 11.32.6.17 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/ Case 71577 Summary The Purchase and Install an SSL Certificate (Trustwave) feature does not drop privileges during certificate file creation. Security Rating cPanel has assigned a Security Level of Important to this vulnerability Description The WHM “Purchase and Install an SSL Certificate” page allows reseller accounts with the “ssl” or “ssl-buy” ACLs to purchase SSL certificates from Trustwave for installation on the local system. This interface failed to drop privileges before creating a file in the reseller’s home directory, allowing malicious resellers with appropriate ACLs to overwrite arbitrary files on the system. Credits This issue was discovered by Rack911. Solution This issue is resolved in the following builds: * 11.39.0.5 & Greater * 11.38.1.13 & Greater * 11.36.1.15 & Greater * 11.34.1.25 & Greater * 11.32.6.17 & Greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/ For a PGP signed version, please go here. View the full article

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having security impact levels ranging from Minor to Important. Information on cPanel’s security ratings is available at http://go.cpanel.net/securitylevels. If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then we strongly encourage you to update your cPanel & WHM installations at your earliest convenience. Releases The following cPanel & WHM versions address all known vulnerabilities: * 11.39.0.5 & Greater * 11.38.1.13 & Greater * 11.36.1.15 & Greater * 11.34.1.25 & Greater * 11.32.6.17 & Greater The latest public releases of cPanel & WHM for all update tiers are available at http://httpupdate.cpanel.net. Security Issue Information The cPanel security team and independent security researchers identified the resolved security issues. There is no reason to believe that these vulnerabilities have been made known to the public. As such, cPanel will only release limited information about the vulnerabilities at this time. Once sufficient time has passed, allowing cPanel & WHM systems to automatically update to the new versions, cPanel will release additional information about the nature of the security issues. This Targeted Security Release addresses 5 vulnerabilities in cPanel & WHM software versions 11.39, 11.38, 11.36, 11.34, and 11.32. Additional information is scheduled for release on July 17th, 2013. For information about our Versions and Release Process, read the following document: http://go.cpanel.net/versionformat For the PGP signed version, go here View the full article

DirectAdmin 1.43.1 - Release Candidate 1 Hello, DirectAdmin 1.43.0 release candidate 1 is now ready for testing. There are many new features and fixes in this release. To test out these changes, install the pre-release binaries . The list of changes/fixes can be viewed here: http://www.directadmin.com/versions....rsion=1.431000 Some of the changes: Security Questions to ask questions after valid login, as an extra layer of security Php Version selector , for CustomBuild 2.0 Dovecot per-email quotas which requires manual changes if used. Important filter_base exim filter change to redirect or delete spam. Change for anyone who uses the user_create_post.sh called after the user.conf is created, instead of before. Pipe stderr to stdout for all hook scripts. Plus many more features and bug fixes. With this release, CustomBuild 2.0 is closer to being stable. Using nginx is still going to be somewhat experimental with limited support, but the bugs are slowly being ironed out. Note that some of the bugs listed on the versions page are not fixed, but will hopefully be done before this release is declared stable and read for production use. John LINK

Notice of dropping support for old OS's With several OSs long since being in end-of-life status, we're giving 3 months notice for the discontinued support for these very old OSs. DA 1.42.2 will likely be the final release for the mentioned OSs, and the binaries will likely be able to be downloaded until the 6 month period has expired. The cutoff will be June 18, 2013. The list of discontinued OSs is as follows: CentOS 3 Fedora 4, 5, 6 FreeBSD 4 RedHat 7.2, 8, 9 These changes really shouldn't affect anyone.. if you are using one of these OSs, it's best you update anyway. The supported list of OSs has been updated now (so nobody "accidentally" installs an old one) John

July 9, 2013 Houston, TX- cPanel, Inc announces the release of EasyApache 3.20 The 3.20 release of EasyApache brings a number of improvements to the cPanel & WHM hosting platform. Notable among these is Tomcat 7, the modern means of providing Java web applications. Tomcat 7 provides a Tomcat Administrator with a myriad of benefits for deploying web applications and managing Java development projects including: Automatic Servlet Configuration After a cPanel&WHM Version Upgrade and Server Transfer Automatic Tomcat Log Rotation JSP, WAR File, and Servlet Test Pages for Testing and Troubleshooting Tomcat Restarts Automatically with Apache if Enabled EasyApache 3.20 Utilizes Tomcat 7.0.41 Tomcat 7 is the first part of the EasyApache application to be released as pre-built RPMs. Users will experience quicker installations and updates of Tomcat due to this change. Upgrades from the older Tomcat 5.5 should be seamless. The team behind EasyApache are excited about the many changes brought in version 3.20. The team is also proud to announce, “We are pleased that no Tomcatz were harmed in the production of EasyApache 3.20.” Tomcat 7 has a minimum requirement of cPanel & WHM version 11.38.0.8, as well as Apache 2.2 or later. More information about the changes in EasyApache 3.20, and Tomcat 7, is available in our EasyApache documentation . To share your Tomcat 7 experience with others, please feel free to join in the discussion at http://features.cpanel.net/responses/tomcat-7-support-in-easyapache View the full article

Important: cPanel Security Disclosure TSR-2013-0007 The following disclosure covers the Targeted Security Release 2013-06-26. Each vulnerability is assigned an internal case number which is reflected below. Information regarding the cPanel Security Level rankings can be found here:http://go.cpanel.net/securitylevels Case 71193 Summary Local cPanel users are able to take over ownership of any file or directory on the system. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. During the preparatory steps for archiving, Cpanel::Logs::prep_logs_path performs a variety of checks to ensure a proper operating environment exists. A number of these checks are performed by a root-privileged process on files and directories in a user’s home directory. A malicious user could take advantage of this behavior to take ownership of important files on the same file system as his home directory. This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.38.1.4 and greater * 11.38.0.19 and greater * 11.36.1.9 and greater * 11.34.1.17 and greater * 11.32.6.8 and greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. Case 71109 Summary Local cPanel users are able to take over ownership of any file or directory on the system. Security Rating cPanel has assigned a Security Level of Important to this vulnerability. Description The log processing subsystem, cpanellogd, on cPanel & WHM servers offers an option for users to create an archive of their domain’s access logs in their home directory. When cpanellogd creates these archives, some operations are performed by a root-privileged process in the user’s home directory. Through the use of a carefully crafted hard link a malicious user could take advantage of this behavior to take ownership of any file on the same file system as his home directory. This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: * 11.38.1.4 and greater * 11.38.0.19 and greater * 11.36.1.9 and greater * 11.34.1.17 and greater * 11.32.6.8 and greater Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/. For the PGP Signed Message, Please go here. View the full article

6/24/2013 Houston, TX- Anticipated this week, June 24th, 2013, 11.39 will be pushed to the EDGE tier. This new build includes the following changes and updates to cPanel & WHM software: -Added support for using cPanel & WHM in a 1:1 NAT environment -Dovecot is upgraded to version 2.2 and it is now possible to enable auto-purging of deleted emails when using Dovecot -Updated Logaholic to version 4.0.5 -Provides Razor2::Client::Agent with SpamAssassin -Removed the ancient Java Telnet Application -Added the ability to load custom CSS in WHM to allow simple customizations -Added the homedir and homeroot data to the pre and post Whostmgr::Accounts::Create hooks *MySQL 5.1, or higher, is required. If you enjoy testing bleeding edge software, being involved in an energetic highly skilled community, and providing feedback, we invite you to join our beta testing group. Simply sign up for our edge users mailing list , configure a non-production cPanel & WHM server for the edge tier, and hold on to your electrons. View the full article

http://community.invisionpower.com/resources/documentation/ips_error_codes.html/_/invision-power-board-3xx/

6/18/2013 Houston, TX- cPanel, Inc. announces the impending release of cPanel & WHM software version 11.38. cPanel & WHM software release 11.38, is anticipated to move to the STABLE tier the week of June 24, 2013. This release offers significant improvements to SSL Management and Backups. It also provides enhancements to jail shell, email auto configuration, and more. Included in 11.38: Improved SSL Management The improved SSL management system offers a number of enhancements; support for UCC certificates, SNI (Server Name Indication), and enhanced support for Wildcard SSL certificates. This allows cPanel users to host multiple SSL websites on the same account. cPanel & WHM software users will notice changes to the user interfaces that simplify installing, managing the various SSL certificates, keys, and signing requests associated with their domains. System and Account Backups cPanel introduces a new backup system with software release 11.38. Among the changes are the ability to store backups in multiple locations, reduction in the time needed to perform a full backup, and a complete set of functionality for automating backups. Backup restoration is also enhanced. A new queuing system allows system administrators to perform other operations within cPanel & WHM software while restorations occur. Other notable changes include: * Ability to configure the host used by email autodiscovery, and auto configuration * Improved email tracking ability by ensuring the From header matches the mail sender * Use of a single template system for customizing the Apache configuration * Changes to jail shell, mod_ruid2, and more Detailed information on all 11.38 features can be found at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1138ReleaseNotes.For an overview of the latest features available in 11.38, visit http://releases.cpanel.net/category/releases/11-38/. View the full article