SUMMARY

cPanel, L.L.C. has updated RPMs for EasyApache 4 with cURL version 7.62.0. This release addresses vulnerabilities related to CVE-2018-16839, CVE-2018-16840, and CVE-2018-16842. We strongly encourage all cURL users to update to version 7.62.0.

AFFECTED VERSIONS

All versions of cURL through cURL 7.61.0

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2018-16839 – MEDIUM

cURL 7.62.0

Fixed bug related to CVE-2018-16839

CVE-2018-16840 – MEDIUM

cURL 7.62.0

Fixed bug related to CVE-2018-16840

CVE-2018-16842 – MEDIUM

cURL 7.62.0

Fixed bug related to CVE-2018-16842

SOLUTION

cPanel, L.L.C. has released updated RPMs for EasyApache 4 on November 7, 2018, with cURL version 7.62.0. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.

REFERENCES

https://nvd.nist.gov/vuln/detail/CVE-2018-16839

https://nvd.nist.gov/vuln/detail/CVE-2018-16840

https://nvd.nist.gov/vuln/detail/CVE-2018-16842

https://curl.haxx.se/changes.html

For the PGP-signed message, please see EA 2018-11-7 signed.