Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.




  • [security] Fixed case CPANEL-27764: Update exim to 4.91-4.cp1170. Fixes CVE-2019-10149.




  • [security] Fixed case CPANEL-26536: Update dovecot to Fixes CVE-2019-7524.




  • [security] Fixed case SEC-477: Unsafe file operations as root in SSL certificate storage.
  • [security] Fixed case SEC-479: Local root via userdata cache misparsing.
  • [security] Fixed case SEC-480: Code execution via addforward API1 call.
  • [security] Fixed case SEC-481: Unsafe terminal capabilities determination using infocmp.
  • [security] Fixed case SEC-483: Open mail relay due to faulty domain redirect routing.
  • [security] Fixed case SEC-484: Limited file read as root via EXIM virtual_user_spam router.
  • [security] Fixed case SEC-487: Demo account code execution via securitypolicy.cgi
  • [security] Fixed case SEC-493: Remote Stored XSS Vulnerability in BoxTrapper Queue Listing




  • Fixed case CPANEL-19362: Add missing module load for Cpanel::Imports.
  • Fixed case CPANEL-20522: Maintenance: allow restarting outdated services to be disabled.
  • Fixed case CPANEL-20522: Create a standard place for disabling touch files.
  • Fixed case CPANEL-21260: Fix bug in date listing for LTS dropdown.
  • Fixed case CPANEL-21694: Ensure getconfiguredips recognizes IPs configured on loopback devices.
  • Fixed case CPANEL-22119: Fix handling of domlogs when changing the main domain rapidly.
  • Fixed case CPANEL-23980: Accommodate AutoSSL certificates from cPanel LLC CA.
  • Fixed case CPANEL-24716: Avoid replacing third party hostname certs until expiration is imminent.
  • Fixed case CPANEL-24858: Fix phrasing for when an hostname certificate will expire soon.
  • Implemented case CPANEL-19603: Add a disable option to the restorepkg script.




  • [security] Fixed case SEC-415: Internal data disclosed to OpenID providers.
  • [security] Fixed case SEC-460: Demo accounts allowed to link with OpenID providers.
  • [security] Fixed case SEC-466: Arbitrary file read via Passenger adminbin.
  • [security] Fixed case SEC-473: Demo account limited arbitrary file write via DCV UAPI calls.
  • [security] Fixed case SEC-476: Limited file write as shared users during connection resets.
  • [security] Fixed case SEC-478: Userdata cache temporary file can conflict with domains.




  • [security] Fixed case CPANEL-23762: Update cpanel-perl-526 to 5.26.0-17.cp1170 for CVE-2018-18311, CVE-2018-12015, CVE-2018-18312, CVE-2018-18313, and CVE-2018-18314.