Newsroom

EasyApache July 26 2016 Maintenance Release

SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on July 26, 2016, with PHP versions 5.5.38, 5.6.24, and 7.0.9. This release addresses vulnerabilities related to CVE-2016-5385, CVE-2016-6289, CVE-2016-5399, CVE-2016-6291, CVE-2016-6292, CVE-2016-6207, CVE-2016-6294, CVE-2016-6290, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2015-8879, and CVE-2016-6288. We strongly encourage all PHP 5.5 users to upgrade to version 5.5.38, all PHP 5.6 users to upgrade to version 5.6.24, and all PHP 7.0 users to upgrade to version 7.0.9.

AFFECTED VERSIONS

All versions of PHP 5.5 through version 5.5.37
All versions of PHP 5.6 through version 5.6.23
All versions of PHP 5.6 through version 7.0.8

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-5385 – HIGH
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-5385

PHP 5.6.24
Fixed bug in CORE module related to CVE-2016-5385

PHP 7.0.9
Fixed bug in CORE module related to CVE-2016-5385

CVE-2016-6289 – MEDIUM
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-6289

PHP 5.6.24
Fixed bug in CORE module related to CVE-2016-6289

PHP 7.0.9
Fixed bug in CORE module related to CVE-2016-6289

CVE-2016-5399 – MEDIUM
PHP 5.5.38
Fixed bug in bz2 function related to CVE-2016-5399

PHP 5.6.24
Fixed bug in bz2 function related to CVE-2016-5399

PHP 7.0.9
Fixed bug in bz2 function related to CVE-2016-5399

CVE-2016-6291 – MEDIUM
PHP 5.5.38
Fixed bug in Exif extension related to CVE-2016-6291

PHP 5.6.24
Fixed bug in Exif extension related to CVE-2016-6291

PHP 7.0.9
Fixed bug in Exif extension related to CVE-2016-6291

CVE-2016-6292 – MEDIUM
PHP 5.5.38
Fixed bug in Exif extension related to CVE-2016-6292

PHP 5.6.24
Fixed bug in Exif extension related to CVE-2016-6292

PHP 7.0.9
Fixed bug in Exif extension related to CVE-2016-6292

CVE-2016-6207 – MEDIUM
PHP 5.5.38
Fixed bug in GD library related to CVE-2016-6207

PHP 5.6.24
Fixed bug in GD library related to CVE-2016-6207

PHP 7.0.9
Fixed bug in GD library related to CVE-2016-6207

CVE-2016-6294 – MEDIUM
PHP 5.5.38
Fixed bug in Intl extension related to CVE-2016-6294

PHP 5.6.24
Fixed bug in Intl extension related to CVE-2016-6294

PHP 7.0.9
Fixed bug in Intl extension related to CVE-2016-6294

CVE-2016-6290 – MEDIUM
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-6290

PHP 5.6.24
Fixed bug in CORE module related to CVE-2016-6290

PHP 7.0.9
Fixed bug in Session module related to CVE-2016-6290

CVE-2016-6295 – MEDIUM
PHP 5.5.38
Fixed bug in SNMP extension related to CVE-2016-6295

PHP 5.6.24
Fixed bug in SNMP extension related to CVE-2016-6295

PHP 7.0.9
Fixed bug in SNMP extension related to CVE-2016-6295

CVE-2016-6296 – MEDIUM
PHP 5.5.38
Fixed bug in XMLRPC extension related to CVE-2016-6296

PHP 5.6.24
Fixed bug in XMLRPC extension related to CVE-2016-6296

PHP 7.0.9
Fixed bug in XMLRPC extension related to CVE-2016-6296

CVE-2016-6297 – MEDIUM
PHP 5.5.38
Fixed bug in Zip extension related to CVE-2016-6297

PHP 5.6.24
Fixed bug in Zip extension related to CVE-2016-6297

PHP 7.0.9
Fixed bug in Zip extension related to CVE-2016-6297

CVE-2015-8879 – HIGH
PHP 5.5.38
Fixed bug in ODBC function related to CVE-2015-8879

PHP 5.6.24
Fixed bug in ODBC function related to CVE-2015-8879

CVE-2016-6288 – MEDIUM
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-6288

SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on July 26, 2016, with an updated versions of PHP 5.5.38, 5.6.24, and 7.0.9. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5385
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6289
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5399
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6291
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6292
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6207
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6294
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6290
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6295
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6296
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6297
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6288
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8879
http://php.net/ChangeLog-5.php
http://www.php.net/ChangeLog-7.php

For the PGP-signed message, please see EA4 2016-7-26 CVE

SUMMARY
cPanel, Inc. has released EasyApache 3.34.3 with PHP versions 5.5.38 and 5.6.24. This release addresses vulnerabilities related to CVE-2016-5385. We strongly encourage all PHP 5.5 users to upgrade to version 5.5.38 and all PHP 5.6 users to upgrade to version 5.6.24.

AFFECTED VERSIONS

All versions of PHP 5.5 through version 5.5.37
All versions of PHP 5.6 through version 5.6.23

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2016-5385 – HIGH
PHP 5.5
Fixed bug in CORE module related to CVE-2016-5385

PHP 5.6
Fixed bug in CORE module related to CVE-2016-5385

CVE-2016-6289 – MEDIUM
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-6289

PHP 5.6.24
Fixed bug in CORE module related to CVE-2016-6289

CVE-2016-5399 – MEDIUM
PHP 5.5.38
Fixed bug in bz2 function related to CVE-2016-5399

PHP 5.6.24
Fixed bug in bz2 function related to CVE-2016-5399

CVE-2016-6291 – MEDIUM
PHP 5.5.38
Fixed bug in Exif extension related to CVE-2016-6291

PHP 5.6.24
Fixed bug in Exif extension related to CVE-2016-6291

CVE-2016-6292 – MEDIUM
PHP 5.5.38
Fixed bug in Exif extension related to CVE-2016-6292

PHP 5.6.24
Fixed bug in Exif extension related to CVE-2016-6292

CVE-2016-6207 – MEDIUM
PHP 5.5.38
Fixed bug in GD library related to CVE-2016-6207

PHP 5.6.24
Fixed bug in GD library related to CVE-2016-6207

CVE-2016-6294 – MEDIUM
PHP 5.5.38
Fixed bug in Intl extension related to CVE-2016-6294

PHP 5.6.24
Fixed bug in Intl extension related to CVE-2016-6294

CVE-2016-6290 – MEDIUM
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-6290

PHP 5.6.24
Fixed bug in CORE module related to CVE-2016-6290

CVE-2016-6295 – MEDIUM
PHP 5.5.38
Fixed bug in SNMP extension related to CVE-2016-6295

PHP 5.6.24
Fixed bug in SNMP extension related to CVE-2016-6295

CVE-2016-6296 – MEDIUM
PHP 5.5.38
Fixed bug in XMLRPC extension related to CVE-2016-6296

PHP 5.6.24
Fixed bug in XMLRPC extension related to CVE-2016-6296

CVE-2016-6297 – MEDIUM
PHP 5.5.38
Fixed bug in Zip extension related to CVE-2016-6297

PHP 5.6.24
Fixed bug in Zip extension related to CVE-2016-6297

CVE-2015-8879 – HIGH
PHP 5.5.38
Fixed bug in ODBC function related to CVE-2015-8879

PHP 5.6.24
Fixed bug in ODBC function related to CVE-2015-8879

CVE-2016-6288 – MEDIUM
PHP 5.5.38
Fixed bug in CORE module related to CVE-2016-6288

SOLUTION
cPanel, Inc. has released EasyApache 3.34.3 with updated versions of PHP 5.5.38 and 5.6.24. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of PHP.

REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5385
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6289
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5399
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6291
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6292
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6207
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6294
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6290
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6295
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6296
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6297
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6288
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8879
http://php.net/ChangeLog-5.php

For the PGP-signed message, please see EA4 2016-7-26 CVE