Jeff
09-24-2006, 08:59 PM
All,
This is the latest cPanel security update thread, with information taken directly from cPanel staff member Nick in the ongoing "Major Exploit" thread over at the cPanel forums (http://forums.cpanel.net)
Updated Patcher:
http://layer1.cpanel.net/installer/sec092406.pl
Updated Checker:
http://layer1.cpanel.net/installer/cpanel_exploit_checker_092406.pl
The auto patcher in the installer has been updated
Summary:
* The patch is now pure perl and doesn't rely on the 'patch' utility (this was causing older version of cPanel to not be patched).
* Solves Problems with mysql interaction on 64-bit systems.
* Solves Problems with creating databases with non latin charsets.
* More robust security checks (the last patch could still allow the exploit to work if it was modified if you were running RELEASE/STABLE [the CURRENT,EDGE,NIGHTLY have a patch in the wrapper that stops this problem dead instead of patching around it] )
The offical security advisory should be ready late tonight/tomorrow morning.
and this is from the cPanel Security Advisory we received just minutes ago:
---------------------------------------------
Fix Details:
---------------------------------------------
We recommend updating (if you do not wish to update see the manual patch instructions below) to the latest EDGE or CURRENT build as these builds include the latest security patch as well as additional protection (the underlying wrapper now contains vastly improved input sanitization). To do this, you will need to modify your upgrade settings thorugh the ‘Update Config’ function in the ‘Server Configuration’ menu of WebHost Manager.
Login to WebHost Manager
Naviagte to the the ‘Update Config’ function in the ‘Server Configuration’ menu.
Change your cPanel/WHM Updates option to CURRENT or bleeding EDGE (Automatic updates recommended).
Click on ‘Save’
Use the ‘Upgrade to Latest Version’ option within the ‘cPanel’ menu.
You can also apply the patch without updating:
You can either run /scripts/upcp from the command line as root, or you can also upgrade from inside WebHostManager by using the ‘Upgrade to Latest Version’ option within the ‘cPanel’ menu.
You may also apply just the patch manually through the following steps:
SSH into your server and gain root access
wget -q -O - http://layer1.cpanel.net/installer/sec092406.pl | perl
You can verified the server is patched by running:
wget -q -O - http://layer1.cpanel.net/installer/cpanel_exploit_checker_092406.pl | perl
and
All cPanel and WHM server will automatically receive a patch for this update. This patch has been applied to most servers and will be applied to the remaining number of servers during the scheduled update on Sunday night, September 25th, 2006. It can be applied manually as per the instructions below.
I personally recommend updating either via /scripts/upcp, or running the patch and security check script manually. I do NOT recommend updating to CURRENT or EDGE under any circumstances. EDGE is for bleeding edge code that is largely untested and may contain many bugs. CURRENT is a more tested version of EDGE, and should not be used.
Again, if you have nightly updating enabled and are not around at this time, your server should be automatically updated. However, if you are available at this time, I strongly urge you to upgrade now, as this is a crtical security issue.
If there are any questions, please feel free to post them here. If you would like assistance with updating, please open a ticket and be sure to provide your VEID if you're a VDS customer, or your Myriad Network Server ID if you are a dedicated customer. Thanks.
This is the latest cPanel security update thread, with information taken directly from cPanel staff member Nick in the ongoing "Major Exploit" thread over at the cPanel forums (http://forums.cpanel.net)
Updated Patcher:
http://layer1.cpanel.net/installer/sec092406.pl
Updated Checker:
http://layer1.cpanel.net/installer/cpanel_exploit_checker_092406.pl
The auto patcher in the installer has been updated
Summary:
* The patch is now pure perl and doesn't rely on the 'patch' utility (this was causing older version of cPanel to not be patched).
* Solves Problems with mysql interaction on 64-bit systems.
* Solves Problems with creating databases with non latin charsets.
* More robust security checks (the last patch could still allow the exploit to work if it was modified if you were running RELEASE/STABLE [the CURRENT,EDGE,NIGHTLY have a patch in the wrapper that stops this problem dead instead of patching around it] )
The offical security advisory should be ready late tonight/tomorrow morning.
and this is from the cPanel Security Advisory we received just minutes ago:
---------------------------------------------
Fix Details:
---------------------------------------------
We recommend updating (if you do not wish to update see the manual patch instructions below) to the latest EDGE or CURRENT build as these builds include the latest security patch as well as additional protection (the underlying wrapper now contains vastly improved input sanitization). To do this, you will need to modify your upgrade settings thorugh the ‘Update Config’ function in the ‘Server Configuration’ menu of WebHost Manager.
Login to WebHost Manager
Naviagte to the the ‘Update Config’ function in the ‘Server Configuration’ menu.
Change your cPanel/WHM Updates option to CURRENT or bleeding EDGE (Automatic updates recommended).
Click on ‘Save’
Use the ‘Upgrade to Latest Version’ option within the ‘cPanel’ menu.
You can also apply the patch without updating:
You can either run /scripts/upcp from the command line as root, or you can also upgrade from inside WebHostManager by using the ‘Upgrade to Latest Version’ option within the ‘cPanel’ menu.
You may also apply just the patch manually through the following steps:
SSH into your server and gain root access
wget -q -O - http://layer1.cpanel.net/installer/sec092406.pl | perl
You can verified the server is patched by running:
wget -q -O - http://layer1.cpanel.net/installer/cpanel_exploit_checker_092406.pl | perl
and
All cPanel and WHM server will automatically receive a patch for this update. This patch has been applied to most servers and will be applied to the remaining number of servers during the scheduled update on Sunday night, September 25th, 2006. It can be applied manually as per the instructions below.
I personally recommend updating either via /scripts/upcp, or running the patch and security check script manually. I do NOT recommend updating to CURRENT or EDGE under any circumstances. EDGE is for bleeding edge code that is largely untested and may contain many bugs. CURRENT is a more tested version of EDGE, and should not be used.
Again, if you have nightly updating enabled and are not around at this time, your server should be automatically updated. However, if you are available at this time, I strongly urge you to upgrade now, as this is a crtical security issue.
If there are any questions, please feel free to post them here. If you would like assistance with updating, please open a ticket and be sure to provide your VEID if you're a VDS customer, or your Myriad Network Server ID if you are a dedicated customer. Thanks.