The cPanel team has officially released an update for EasyApache 4. This update includes a number of security updates for PHP versions 7.1.27, 7.2.16, and 7.3.3, as well as OpenSSL version 1.0.2r, and the addition of PassengerNodejs to passenger_apps.default. In preparation for the eventual release of cPanel & WHM Version 80, the cPanel team has also added ea-nodejs10.
EasyApache 4 has updated RPMs, as well as updated versions of PHP versions 7.1.27, 7.2.16, 7.3.3, and OpenSSL version 1.0.2r. Unless you have enabled automatic cron job updates, please make sure to update your system with either yum update or WHM’s Run System Update interface.
Changelog
ea-apache2
- EA-8279: Remove
noreplace from old EA3 config file in ea-apache24.spec
ea-openssl
- EA-8265: Update OpenSSL to version 1.0.2r, drop 1.0.2q (with fix for CVE-2019-1559)
scl-php71
- EA-8267: Update PHP 7.1 to version 7.1.27, drop 7.1.26 (with fixes for CVE-2019-9637, CVE-2019-9641, CVE-2019-9640, CVE-2019-9638, and CVE-2019-9639)
scl-php71-meta
- EA-8267: Update PHP 7.1 to version 7.1.27, drop 7.1.26
scl-php72
- EA-8271: Update PHP 7.2 to version 7.2.16, drop 7.2.15 (with fixes for CVE-2019-9637, CVE-2019-9641, CVE-2019-9640, CVE-2019-9638, and CVE-2019-9639)
scl-php72-meta
- EA-8271: Update PHP 7.2 to version 7.2.16, drop 7.2.15
scl-php73
- EA-8275: Update PHP 7.3 to version 7.3.3, drop 7.3.2 (with fixes for CVE-2019-9637, CVE-2019-9641, CVE-2019-9640, CVE-2019-9638, and CVE-2019-9639)
scl-php73-meta
- EA-8275: Update PHP 7.3 to version 7.3.3, drop 7.3.2
scl-ruby24-passenger
- EA-8238: Add PassengerNodejs to
passenger_apps.default
ea-nodejs10
- EA-8125: Move
ea-nodejs10 into production
Security Patches
This release includes security patches that have been issued for common vulnerabilities and exposures (CVEs), the details of which are included below.
Affected versions
- All versions of PHP 7.1 through 7.1.26
- All versions of PHP 7.2 through 7.2.15
- All versions of PHP 7.3 through 7.3.2
- All versions of OpenSSL 1.0.2 through 1.0.2q
Security Rating
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2019-9637 – High
- PHP 7.1.27; Fixed bug in Core module related to CVE-2019-9637
- PHP 7.2.16; Fixed bug in Core module related to CVE-2019-9637
- PHP 7.3.3; Fixed bug in Core module related to CVE-2019-9637
CVE-2019-9641 – Critical
- PHP 7.1.27; Fixed bug in Exif module related to CVE-2019-9641
- PHP 7.2.16; Fixed bug in Exif module related to CVE-2019-9641
- PHP 7.3.3; Fixed bug in Exif module related to CVE-2019-9641
CVE-2019-9640 – Critical
- PHP 7.1.27; Fixed bug in Exif module related to CVE-2019-9640
- PHP 7.2.16; Fixed bug in Exif module related to CVE-2019-9640
- PHP 7.3.3; Fixed bug in Exif module related to CVE-2019-9640
CVE-2019-9638 – Critical
- PHP 7.1.27; Fixed bug in Exif module related to CVE-2019-9638
- PHP 7.2.16; Fixed bug in Exif module related to CVE-2019-9638
- PHP 7.3.3; Fixed bug in Exif module related to CVE-2019-9638
CVE-2019-9639 – Critical
- PHP 7.1.27; Fixed bug in Exif module related to CVE-2019-9639
- PHP 7.2.16; Fixed bug in Exif module related to CVE-2019-9639
- PHP 7.3.3; Fixed bug in Exif module related to CVE-2019-9639
CVE-2019-1559 – Medium
- OpenSSL 1.0.2r; Fixed bug related to CVE-2019-1559
Other security vulnerabilities were included in this release, however, they have not been assigned numbers yet.
More Information
For more information about the security patches and their references, please make sure to see the official announcement page. For information about other releases, visit the 2019 EasyApache 4 Changelog and the EasyApache 4 Release Notes.
