(More) vulnerabilities
Email received a few minutes ago:
We are writing to let you know that a cPanel & WHM security patch is expected to be released on Wednesday, May 20 at 8am EST.
This release addresses vulnerabilities across versions of cPanel & WHM, including fixes for the several vulnerabilities rated up to High severity.
All vulnerabilities were either responsibly disclosed by external researchers or identified internally by our security team. At this time, there are no known exploits or proof-of-concept code in the wild. To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches.
Patch & Affected Versions
The patch will be available on Wednesday, May 20 at 8am EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update once the patch is made available.
Versions Impacted:
86, 94, 102, 110, 110 (CL6), 118, 124, 126, 130, 132, 134, 136, 136 (WP2)
Prepare Now
- Identify affected servers. Review your servers on the affected versions above.
- Check the update configuration. For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now so there are no delays when the patch lands.
- Brief your team. If your environment requires a maintenance window, notify the relevant people so they are ready to act.
- Manual update. To update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available.
- Note for CloudLinux 6 users. Before manually updating, set the update tier to the cl6110 branch
- Watch for a follow-up email with exact patched versions and a link to all technical details in the support article.
We will follow up the moment the patch is live with full details and remediation steps.
