- [security] Fixed case CPANEL-27764: Update exim to 4.91-4.cp1170. Fixes CVE-2019-10149.
- [security] Fixed case CPANEL-26536: Update dovecot to 126.96.36.199-2. Fixes CVE-2019-7524.
- [security] Fixed case SEC-477: Unsafe file operations as root in SSL certificate storage.
- [security] Fixed case SEC-479: Local root via userdata cache misparsing.
- [security] Fixed case SEC-480: Code execution via addforward API1 call.
- [security] Fixed case SEC-481: Unsafe terminal capabilities determination using infocmp.
- [security] Fixed case SEC-483: Open mail relay due to faulty domain redirect routing.
- [security] Fixed case SEC-484: Limited file read as root via EXIM virtual_user_spam router.
- [security] Fixed case SEC-487: Demo account code execution via securitypolicy.cgi
- [security] Fixed case SEC-493: Remote Stored XSS Vulnerability in BoxTrapper Queue Listing
- Fixed case CPANEL-19362: Add missing module load for Cpanel::Imports.
- Fixed case CPANEL-20522: Maintenance: allow restarting outdated services to be disabled.
- Fixed case CPANEL-20522: Create a standard place for disabling touch files.
- Fixed case CPANEL-21260: Fix bug in date listing for LTS dropdown.
- Fixed case CPANEL-21694: Ensure getconfiguredips recognizes IPs configured on loopback devices.
- Fixed case CPANEL-22119: Fix handling of domlogs when changing the main domain rapidly.
- Fixed case CPANEL-23980: Accommodate AutoSSL certificates from cPanel LLC CA.
- Fixed case CPANEL-24716: Avoid replacing third party hostname certs until expiration is imminent.
- Fixed case CPANEL-24858: Fix phrasing for when an hostname certificate will expire soon.
- Implemented case CPANEL-19603: Add a disable option to the restorepkg script.
- [security] Fixed case SEC-415: Internal data disclosed to OpenID providers.
- [security] Fixed case SEC-460: Demo accounts allowed to link with OpenID providers.
- [security] Fixed case SEC-466: Arbitrary file read via Passenger adminbin.
- [security] Fixed case SEC-473: Demo account limited arbitrary file write via DCV UAPI calls.
- [security] Fixed case SEC-476: Limited file write as shared users during connection resets.
- [security] Fixed case SEC-478: Userdata cache temporary file can conflict with domains.
- [security] Fixed case CPANEL-23762: Update cpanel-perl-526 to 5.26.0-17.cp1170 for CVE-2018-18311, CVE-2018-12015, CVE-2018-18312, CVE-2018-18313, and CVE-2018-18314.