مهم »»» مشکل امنیتی جدید در CPanel با درجه اهمیتی بالا

[secure_host]

با سلام
طبق اطلاع رسانی شرکت CPanel امروز مشکل امنیتی برای CPanel گزارش شده است که این مشکل امنیتی با درجه اهمیت بالا گزارش شده است . و در بروز رسانی در تمامی نسخه های CPanel مشکل امنیتی پوشش داده می شود. و اگر CPanel شما بر روی Auto update تنظیم شده است که نیازی به انجام هیچ گونه اقدامی از ناحیه شما نمی باشد.
ولی در صورتی که CPanel شما در این حالت تنظیم نشده است .لطفا هرچه سریعتر نسخه مربوط به CPanel خود را بروزرسانی نموده تا مشکل امنیتی برای شما برطرف گردد و دچار مشکل و عواقب این مشکل نگردید.
با تشکر

ایمیل شرکت CPanel به این حقیر :

Important: cPanel & WHM 11.34 Security Release

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system.

cPanel has rated this update as having important security impact. Information on security ratings is available at SecurityLevels < AllDocumentation < TWiki.

If your deployed cPanel & WHM servers are configured to automatically update when new releases are available, then no action is required. Your systems will update automatically. If you have disabled automatic updates, then you are highly encouraged to update your cPanel & WHM installs at your earliest convenience.

Releases

Version 11.34.0.11 of cPanel & WHM addresses all known vulnerabilities. The latest public releases of cPanel & WHM for all update tiers are published at Downloads - cPanel Inc..

Security Issue Information

The resolved security issues were identified by various members of the development and quality assurance teams at cPanel. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issue. This Targeted Security Release addresses five vulnerabilities. Additional information is scheduled to be released December 6, 2012, via email.

==============================================

موفق باشید.

[secure_host]

با سلامی دوباره
با توجه به درخواست های زیادی که برای بروز رسانی CPanel ارسال شده است . ممکن است در برخی ساعات شما نتوانید کنترل پنل خود را بروز رسانی نمایید که در صورتی که نتوانستید بروز رسانی موفقی داشته باشید بهتر است در ساعات دیگری دوباره تلاش نمایید.

ایمیل دیگری از CPanel به بنده :

Hello,

Due to this morning’s security release, we are seeing heavier than normal network traffic, and have made adjustments that will compensate for this traffic. We apologize for excessive communication during this security release; we want every customer to have a good experience with our support and our software. If your server performed the update process between 1pm and 2pm CST, we recommend verifying the version number or re-running the update.

It is also important to note these issues have nothing to do with the security of cPanel software. More information about the cPanel & WHM 11.30 / 11.32 and 11.34 security announcement will be emailed and posted to cPanel Inc | Point.Click.Host. December 6th 2012.

با تشکر

[3245]

احساس میکنم اینقدر خطرناک بوده که در 2 ساعت 2 تا اخطاریه آپدیت آمد که متفاوت بودند نسبت به هم

[VPS]

سلام
باز خوبه چنین افرادی هستند که این موضوعات را اطاع رسانی می کنند.
آقا ممنون

[hamnafas]

خدارو شکر هستند دوستانی که به جای سوء استفاده به فکر این هستن که امنیت همکاراشون بالا بره.
ممنونم سکیور هاست عزیز

[sa_sh41]

ممنون بابت اطلاع رسانی
در صورتیکه شما میتینگ نمایشگاه میاین تو تاپیک مربوطه بگین تا زیارتتون کنیم
واقعا پست های مفیدی ازتون دیدیم

[secure_host]

با سلام
و اما اطلاعات مهم در باره مشکلات امنیتی cPanel :

Important: New Information about cPanel & WHM 11.30, 11.32, and 11.34 Updates Now Available

Summary:

cPanel & WHM 11.30.7.4; 11.32.5.15; 11.34.0.11, which fixes multiple security issues, is now available for download.

cPanel has rated these updates as having important security impact. Information on security ratings is available at http://go.cpanel.net/securitylevels.

Description:

The Perl Storable module provides support for serialization and deserialization of Perl data structures. In cPanel & WHM this functionality is used for caching data to disk and transferring data between processes. In many areas this caching and interprocess communication crosses privilege separation boundaries. A local malicious user could use this behavior to inject code into serialized data structures, thus allowing for code execution and possibility of privilege escalation.

The Perl YAML::Syck module provides similar functionality as the Storable module. The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

The version of Locale::Maketext used in previous releases of cPanel & WHM suffered from two flaws in the _compile() function which allowed authenticated users to execute arbitrary code by supplying specially crafted translatable phrases.

cPanel & WHM relies on the Crypt::Passwd::XS Perl module to perform password hashing. This module suffers from the same vulnerability disclosed in CVE-2012-2143 where passwords with the 0x80 character are truncated when hashed using the DES crypt algorithm. cPanel & WHM systems are configured by default to use the stronger MD5 and SHA512 crypt password hashing algorithms.

The version of Cpanel::Locale used in previous releases of cPanel & WHM included two date formatting functions that passed unsanitized user input to a subprocess shell. An authenticated attacker could use this functionality to execute arbitrary shell commands on the local system bypassing normal restrictions on local code execution.

These issues were discovered by various members of the Development and Quality Assurance teams at cPanel.

Solution:

We recommend updating your cPanel & WHM system as follows;

Update cPanel & WHM 11.30 to 11.30.7.3 or newer.
Update cPanel & WHM 11.32 to 11.32.5.14 or newer.
Update cPanel & WHM 11.34 to 11.34.0.10 or newer.

To check which version of cPanel you have, go to http://go.cpanel.net/myversion

A full listing of published versions can always be found at Downloads - cPanel Inc..

References:

Case 59926 | cPanel, Inc.
Case 60203 | cPanel, Inc.
Case 60970 | cPanel, Inc.
Case 61251 | cPanel, Inc.
Case 62230 | cPanel, Inc.

فکر نمی کردم که این مشکلات امنیتی که با درجه اهمیت بالا Important گزارش شده رو بخوان Public کنند. ولی الان دیگه public شده.
با تشکر