EasyApache4 v25.42 Maintenance and Security Release

Webpros has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

Security Updates

This release addresses the following security vulnerability:

CPANEL-47168 / SEC-68753: XSS and email injection vulnerability in 404 error page

The Contact WebMaster link on the 404 page was susceptible to manipulation of email parameters

Attackers could inject additional recipients (to, cc, bcc) and set malicious body/subject fields

Fixed by sanitizing the webmaster error email to prevent parameter injection

Changes in this build
ea-nginx

Previous Version: v1.29.3  
New Version: v1.29.4  
Case: EA-13286 / CPANEL-50596 
Changes: Update ea-nginx from v1.29.3 to v1.29.4/Add support for lsapi to nginx standalone
ea-ruby27-passenger

Previous Version: v6.1.0 
New Version: v6.1.1
Case: EA-13307  
Changes: Update ea-ruby27-passenger from v6.1.0 to v6.1.1
ea-passenger-src

Previous Version: v6.1.0  
New Version: v6.1.1  
Case: EA-13306
ea-apache24-mod-passenger

Case: EA4-223 
Changes: Move A10 host-flag-support from Apache to src ball (benefits NGINX without duplicating efforts)
ea-nginx-passenger

Case: EA4-223 
Changes: Move out of experimental and not require apache
ea-memcached16

Previous Version: v1.6.39
New Version: v1.6.40
Case: EA-13293
ea-scl-sourceguardian

Previous Version: v16.0.4
New Version: v17.0.0
Case: EA-13289
ea-documentroot (SECURITY)

Case: CPANEL-47168 / SEC-68753  
Changes:

    SECURITY: Sanitize webmaster error email to prevent XSS and email injection attacks

    Fixed vulnerability allowing attackers to manipulate email parameters on 404 error page