Announcement

Collapse
No announcement yet.

CVE-2019-0211 Apache HTTP Server privilege escalation from modules scripts

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    CVE-2019-0211 Apache HTTP Server privilege escalation from modules scripts

    Does CL have any idea on a timeframe as to when an updated version of Apache will be released for CloudLinux?

    Im presuming (perhaps incorrectly) that CloudLinux will not publish an Apache update until cPanel publishes an Apache update upstream.

    Lots of FUD exists around this CVE, probably justified. I would appreciate some word from CloudLinux regarding this.

    Thanks

    Mike
    Hostking | Since 2013 | Web Hosting | WordPress Web Hosting
    Tags: None
  • #2
    CPanel reports that Apache 2.4.39 is "tentatively scheduled for publication later today":

    https://forums.cpanel.net/threads/ea...19-0211.650517/

    Wed also like to know how long this would take on the CloudLinux side and if there is any CL or Imunify360 mitigation or protection against this in the meantime?

    Comment

    • #3
      Hi there.

      We just released an updated ea-apache24-2.4.39-3 version for cPanel/EasyApache 4 to the "cl-ea4-testing" repository (an announcement is coming to our blog). Its an update to the upstream Apache 2.4.39 version which fixes CVE-2019-0211.

      Our system packages "httpd" are based on the RHEL ones so they arent vulnerable accordingly to https://access.redhat.com/security/cve/cve-2019-0211.

      We are investigating the situation with httpd24-httpd package, probably an updated version will come tomorrow.

      Thats all for now, thank you for your patience.

      --
      Eugene Zamriy
      CloudLinux OS release manager

      Comment

      • #4
        Hmm. Issues with the lack of liblsapi 1.1.1-38. Same on all of the boxes I manage. Is this just a case of the CL mirrors not being fully synced yet?

        yum update ea-apache24* --enablerepo=cl-ea4-testing
        Loaded plugins: fastestmirror, rhnplugin, security, universal-hooks
        Setting up Update Process
        Loading mirror speeds from cached hostfile
        * cpanel-addons-production-feed: 208.100.0.204
        * cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
        Resolving Dependencies
        --> Running transaction check
        ---> Package ea-apache24.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-config.noarch 2:1.0-143.el6.cloudlinux will be updated
        ---> Package ea-apache24-config.noarch 2:1.0-145.el6.cloudlinux will be an update
        ---> Package ea-apache24-config-runtime.noarch 2:1.0-143.el6.cloudlinux will be updated
        ---> Package ea-apache24-config-runtime.noarch 2:1.0-145.el6.cloudlinux will be an update
        ---> Package ea-apache24-devel.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-devel.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_authn_anon.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_authn_anon.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_authn_socache.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_authn_socache.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_cgid.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_cgid.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_deflate.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_deflate.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_expires.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_expires.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_headers.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_headers.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_http2.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_http2.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_lsapi.x86_64 1:1.1-37.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_lsapi.x86_64 1:1.1-38.el6.cloudlinux will be an update
        --> Processing Dependency: liblsapi = 1:1.1-38.el6.cloudlinux for package: 1:ea-apache24-mod_lsapi-1.1-38.el6.cloudlinux.x86_64
        ---> Package ea-apache24-mod_mpm_event.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_mpm_event.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_proxy.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_proxy.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_proxy_http.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_proxy_http.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_proxy_wstunnel.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_proxy_wstunnel.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_security2.x86_64 2:2.9.2-10.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_security2.x86_64 2:2.9.2-11.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_ssl.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_ssl.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_suexec.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_suexec.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-mod_unique_id.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-mod_unique_id.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        ---> Package ea-apache24-tools.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
        ---> Package ea-apache24-tools.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
        --> Finished Dependency Resolution
        Error: Package: 1:ea-apache24-mod_lsapi-1.1-38.el6.cloudlinux.x86_64 (cl-ea4-testing)
        Requires: liblsapi = 1:1.1-38.el6.cloudlinux
        Installed: 1:liblsapi-1.1-37.el6.cloudlinux.x86_64 (@cloudlinux-x86_64-server-6)
        liblsapi = 1:1.1-37.el6.cloudlinux
        Available: liblsapi-1.0-1.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-1.el6.cloudlinux
        Available: liblsapi-1.0-2.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-2.el6.cloudlinux
        Available: liblsapi-1.0-16.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-16.el6.cloudlinux
        Available: liblsapi-1.0-17.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-17.el6.cloudlinux
        Available: liblsapi-1.0-23.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-23.el6.cloudlinux
        Available: liblsapi-1.0-24.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-24.el6.cloudlinux
        Available: liblsapi-1.0-27.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-27.el6.cloudlinux
        Available: liblsapi-1.0-28.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-28.el6.cloudlinux
        Available: liblsapi-1.0-29.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-29.el6.cloudlinux
        Available: liblsapi-1.0-30.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.0-30.el6.cloudlinux
        Available: liblsapi-1.1-16.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-16.el6.cloudlinux
        Available: liblsapi-1.1-17.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-17.el6.cloudlinux
        Available: liblsapi-1.1-18.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-18.el6.cloudlinux
        Available: liblsapi-1.1-20.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-20.el6.cloudlinux
        Available: liblsapi-1.1-21.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-21.el6.cloudlinux
        Available: liblsapi-1.1-25.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-25.el6.cloudlinux
        Available: liblsapi-1.1-26.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-26.el6.cloudlinux
        Available: liblsapi-1.1-27.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-27.el6.cloudlinux
        Available: liblsapi-1.1-28.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-28.el6.cloudlinux
        Available: liblsapi-1.1-29.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-29.el6.cloudlinux
        Available: liblsapi-1.1-31.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-31.el6.cloudlinux
        Available: liblsapi-1.1-33.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1.1-33.el6.cloudlinux
        Available: 1:liblsapi-1.1-36.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
        liblsapi = 1:1.1-36.el6.cloudlinux
        You could try using --skip-broken to work around the problem
        You could try running: rpm -Va --nofiles --nodigest

        Comment

        • #5
          Hi Mike,

          Its trying to install an updated lsapi binding from beta as well. Please add "--exclude=ea-apache24-mod_lsapi" option to your yum update command.

          Ill ask to update the instructions in the blog post.

          --
          Eugene Zamriy
          CloudLinux OS release manager.

          Comment

          • #6
            Btw,

            Alternatively, you can enable the "cloudlinux-updates-testing" repository to let yum install lsapi dependencies from it. But I wouldnt recommend you to do it if you are just going to update the Apache.

            --
            Eugene Zamriy
            CloudLinux OS release manager

            Comment

            • #7
              Thanks, Eugene. That took care of it.

              yum update ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi

              Mike

              Comment

              Previous template Next
              Working...
              X