CVE-2019-0211 Повышение привилегий через Apache HTTP Server из скриптов модулей
Форум
  1. Forums
  2. CloudLinux and Control Panels
  3. CloudLinux and cPanel
  1. Mike Tindor
  2. Wednesday, 03 April 2019
  3.  Subscribe via email
Does CL have any idea on a timeframe as to when an updated version of Apache will be released for CloudLinux?

I'm presuming (perhaps incorrectly) that CloudLinux will not publish an Apache update until cPanel publishes an Apache update upstream.

Lots of FUD exists around this CVE, probably justified. I would appreciate some word from CloudLinux regarding this.

Thanks

Mike
Rate this post:
  1. 03.04.2019 14:04:21
  2. # 1
Edie Etoile Accepted Answer
Posts: 0
Joined: 17.11.2019
0
Votes
Undo
CPanel reports that Apache 2.4.39 is "tentatively scheduled for publication later today":

https://forums.cpanel.net/threads/ea-8307-update-ea-apache24-to-2-4-39-for-cve-2019-0211.650517/

We'd also like to know how long this would take on the CloudLinux side and if there is any CL or Imunify360 mitigation or protection against this in the meantime?
  1. 03.04.2019 14:04:19
  2. # 2
Eugene Zamriy Accepted Answer
Posts: 0
Joined: 17.11.2019
0
Votes
Undo
Hi there.


We just released an updated ea-apache24-2.4.39-3 version for cPanel/EasyApache 4 to the "cl-ea4-testing" repository (an announcement is coming to our blog). It's an update to the upstream Apache 2.4.39 version which fixes CVE-2019-0211.


Our system packages "httpd" are based on the RHEL ones so they aren't vulnerable accordingly to https://access.redhat.com/security/cve/cve-2019-0211.

We are investigating the situation with httpd24-httpd package, probably an updated version will come tomorrow.


That's all for now, thank you for your patience.

--
Eugene Zamriy
CloudLinux OS release manager
  1. 03.04.2019 14:04:50
  2. # 3
Mike Tindor Accepted Answer
Posts: 35
Joined: 08.11.2013
0
Votes
Undo
Hmm. Issues with the lack of liblsapi 1.1.1-38. Same on all of the boxes I manage. Is this just a case of the CL mirrors not being fully synced yet?

yum update ea-apache24* --enablerepo=cl-ea4-testing
Loaded plugins: fastestmirror, rhnplugin, security, universal-hooks
Setting up Update Process
Loading mirror speeds from cached hostfile
* cpanel-addons-production-feed: 208.100.0.204
* cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
Resolving Dependencies
--> Running transaction check
---> Package ea-apache24.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-config.noarch 2:1.0-143.el6.cloudlinux will be updated
---> Package ea-apache24-config.noarch 2:1.0-145.el6.cloudlinux will be an update
---> Package ea-apache24-config-runtime.noarch 2:1.0-143.el6.cloudlinux will be updated
---> Package ea-apache24-config-runtime.noarch 2:1.0-145.el6.cloudlinux will be an update
---> Package ea-apache24-devel.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-devel.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_authn_anon.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_authn_anon.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_authn_socache.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_authn_socache.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_cgid.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_cgid.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_deflate.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_deflate.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_expires.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_expires.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_headers.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_headers.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_http2.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_http2.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_lsapi.x86_64 1:1.1-37.el6.cloudlinux will be updated
---> Package ea-apache24-mod_lsapi.x86_64 1:1.1-38.el6.cloudlinux will be an update
--> Processing Dependency: liblsapi = 1:1.1-38.el6.cloudlinux for package: 1:ea-apache24-mod_lsapi-1.1-38.el6.cloudlinux.x86_64
---> Package ea-apache24-mod_mpm_event.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_mpm_event.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_proxy.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_proxy.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_proxy_http.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_proxy_http.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_proxy_wstunnel.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_proxy_wstunnel.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_security2.x86_64 2:2.9.2-10.el6.cloudlinux will be updated
---> Package ea-apache24-mod_security2.x86_64 2:2.9.2-11.el6.cloudlinux will be an update
---> Package ea-apache24-mod_ssl.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_ssl.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_suexec.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_suexec.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-mod_unique_id.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-mod_unique_id.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
---> Package ea-apache24-tools.x86_64 1:2.4.38-3.el6.cloudlinux will be updated
---> Package ea-apache24-tools.x86_64 1:2.4.39-3.el6.cloudlinux will be an update
--> Finished Dependency Resolution
Error: Package: 1:ea-apache24-mod_lsapi-1.1-38.el6.cloudlinux.x86_64 (cl-ea4-testing)
Requires: liblsapi = 1:1.1-38.el6.cloudlinux
Installed: 1:liblsapi-1.1-37.el6.cloudlinux.x86_64 (@cloudlinux-x86_64-server-6)
liblsapi = 1:1.1-37.el6.cloudlinux
Available: liblsapi-1.0-1.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-1.el6.cloudlinux
Available: liblsapi-1.0-2.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-2.el6.cloudlinux
Available: liblsapi-1.0-16.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-16.el6.cloudlinux
Available: liblsapi-1.0-17.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-17.el6.cloudlinux
Available: liblsapi-1.0-23.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-23.el6.cloudlinux
Available: liblsapi-1.0-24.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-24.el6.cloudlinux
Available: liblsapi-1.0-27.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-27.el6.cloudlinux
Available: liblsapi-1.0-28.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-28.el6.cloudlinux
Available: liblsapi-1.0-29.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-29.el6.cloudlinux
Available: liblsapi-1.0-30.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.0-30.el6.cloudlinux
Available: liblsapi-1.1-16.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-16.el6.cloudlinux
Available: liblsapi-1.1-17.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-17.el6.cloudlinux
Available: liblsapi-1.1-18.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-18.el6.cloudlinux
Available: liblsapi-1.1-20.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-20.el6.cloudlinux
Available: liblsapi-1.1-21.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-21.el6.cloudlinux
Available: liblsapi-1.1-25.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-25.el6.cloudlinux
Available: liblsapi-1.1-26.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-26.el6.cloudlinux
Available: liblsapi-1.1-27.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-27.el6.cloudlinux
Available: liblsapi-1.1-28.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-28.el6.cloudlinux
Available: liblsapi-1.1-29.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-29.el6.cloudlinux
Available: liblsapi-1.1-31.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-31.el6.cloudlinux
Available: liblsapi-1.1-33.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1.1-33.el6.cloudlinux
Available: 1:liblsapi-1.1-36.el6.cloudlinux.x86_64 (cloudlinux-x86_64-server-6)
liblsapi = 1:1.1-36.el6.cloudlinux
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
  1. 03.04.2019 14:04:50
  2. # 4
Eugene Zamriy Accepted Answer
Posts: 0
Joined: 17.11.2019
0
Votes
Undo
Hi Mike,


It's trying to install an updated lsapi binding from beta as well. Please add "--exclude=ea-apache24-mod_lsapi" option to your yum update command.

I'll ask to update the instructions in the blog post.


--
Eugene Zamriy
CloudLinux OS release manager.
  1. 03.04.2019 15:04:17
  2. # 5
Eugene Zamriy Accepted Answer
Posts: 0
Joined: 17.11.2019
0
Votes
Undo
Btw,


Alternatively, you can enable the "cloudlinux-updates-testing" repository to let yum install lsapi dependencies from it. But I wouldn't recommend you to do it if you are just going to update the Apache.


--
Eugene Zamriy
CloudLinux OS release manager
  1. 03.04.2019 15:04:10
  2. # 6
Mike Tindor Accepted Answer
Posts: 35
Joined: 08.11.2013
0
Votes
Undo
Thanks, Eugene. That took care of it.

yum update ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi

Mike
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
гость
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.