Bluehost Apache symlink race condition patch and cPanel / WHM

Hello,

I'm renting a Linode VPS, I've purchased a cPanel license from buycpanel.com and when I run the Security Advisor in cPanel, it shows the Bluehost Apache Symlink Race Protection patch has been installed.

I am running EasyApache 4, which doesn't seem to provide this patch. I did not install the patch. Buycpanel.com has said they didn't install it and that I should check with the hosting provider (Linode) to see if they did.

I've contacted cPanel and am waiting on a reply. I can't seem to figure out how this patch has gotten here. I'm running CentOS 7 right now and I ran:

yum info ea-apache24.x86_64

I see the EasyApache version of Apache is installed from the EA4 repository. I've checked /etc/yum.repos.d/EA4.repos and see the files are being pulled from cPanel:

[EA4]
name=EA4 ( EasyApache 4 )
mirrorlist=http://httpupdate.cpanel.net/ea4-c$releasever-$basearch-mirrorlist
gpgcheck=1
gpgkey=https://securedownloads.cpanel.net/cPanelPublicRPMKey.asc
enabled=1
cost=50

This makes me think the patch either had to have been installed by cPanel or there's some script that patches Apache whenever EA4 rebuilds it.

Does anyone have any ideas how this patch might have been installed on my server and how I'd go about removing it?

Thank you.

1 Reply

I wanted to update everyone on what I found.

The Bluehost symlink race condition patch is shipped with the Apache that comes with EA4 (EasyApache 4) with cPanel. It's not active by default and there's no options in cPanel 60 to turn it on or off. That option is in cPanel 62. I believe the patch can manually be turned on or off by adding something like this to /etc/apache2/conf/httpd.conf

SymlinkProtect On

SymlinkProtectRoot /var/www/html

The Security Advisor checks check's the Apache binary, httpd, for the SPT_DOCROOT string, and if it finds it, it falsely assumes the patch is active. Because the bluehost patch has been applied to the Apache binary that ships with EA4, it's creating a false positive. The patch is installed, it's just not active.

They have a case number to fix the issue though, EA-5670. Once EA-5670 comes out, we shouldn't see the false positive anymore.

Thanks!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct