Hello,
I generally update my cpanel servers manually after first checking a release to make sure there aren't major issues e.g. in past, I avoided a bug that broke phpmyadmin by not auto-updating, I've avoided bad EA releases, etc.
This leads me to the next point. I am on the cpanel mailing list and receive emails about EasyApache releases & Cpanel security releases. I frankly think the ball was dropped since we weren't notified about this issue by email:
Version 68.0.25 1-10-18
- Fixed case CPANEL-17721: Update awstats to 7.4-3.cp1162 for CVE-2017-1000501.
In the future, would you -please- contact us for any off-cycle security fixes? e.g. Cpanel 68.0.25 addresses highly critical security fix with awstats.
I was able to get the servers updated but didn't see this until a couple days late since I rely on cpanel to notify me of security issues with cpanel or easyapache. I'm on separate mailing lists for CentOS and other software. Recently, you notified us of upcoming security fixes to be patched on 1-22-18 then you released the details a day later 1-23-18, which is normal for cpanel. The cpanel security fixes on 1-22-18 weren't that serious compared to the awstats issue on 1-10-18, which was very, very serious and easy to exploit. In the future, I feel we should be notified about any off-cycle security patches from cpanel...especially one this critical that could allow unauthenticated, remote code execution as root.
Also, please, mark these releases as [security] in the patch notes but that's a minor gripe, would rather receive an email notification.
Thank you.
Comments
0 comments