Horde Webmail Disabled

[Reesy]

Bob, I dont really care who found it first, its totally and utterly irrelevant.

Is the fix available like Cpanel says in their blog post yesterday?
If so please get it installed.

[foobic]

It's not unknown for CPanel patches to be reissued once or twice to fix additional issues they missed the first time. With something as severe as a published root exploit I'd rather see Horde remain offline until the patch is 100% proven.

Thanks Steve and Bob for the quick action.

[Aussie Bob]

James,

That was posted today only a few hours ago on the cpanel security blog, and no, we won't be rushing to upgrade all cpanels accross our server fleet to EDGE release for the Horde fix. Steve will make a call on this shortly and make the appropriate announcement, but for now Horde will remain deactivated until we are 100% certian that the fix provided by cpanel works.

You are quite welcome to reactivate Horde in your VPS by upgrading Cpanel to their suggested EDGE release. I wouldn't rush this though, given this was a root breach but it's your call but we will accept no responsibility if your VPS is root breached.

Due to the severity of the breach (root breach) we acted quickly and let as many other hosts know too, yet at the same time being careful not to make public specific details about the actual exploit.

[Aussie Bob]

Quote:

Originally Posted by foobic

It's not unknown for CPanel patches to be reissued once or twice to fix additional issues they missed the first time. With something as severe as a published root exploit I'd rather see Horde remain offline until the patch is 100% proven.

Thanks Steve and Bob for the quick action.

No worries. We will take the safe path given the severity of this root breach.

[Reesy]

Quote:

Originally Posted by Aussie Bob

James,

That was posted today only a few hours ago on the cpanel security blog, and no, we won't be rushing to upgrade all cpanels accross our server fleet to EDGE release for the Horde fix. Steve will make a call on this shortly and make the appropriate announcement, but for now Horde will remain deactivated until we are 100% certian that the fix provided by cpanel works.

You are quite welcome to reactivate Horde in your VPS by upgrading Cpanel to their suggested EDGE release. I wouldn't rush this though, given this was a root breach but it's your call but we will accept no responsibility if your VPS is root breached.

Due to the severity of the breach (root breach) we acted quickly and let as many other hosts know too, yet at the same time being careful not to make public specific details about the actual exploit.

Hello Bob,
Im not subscribed to all Cpanels bumpf so Im just commenting on what info I can find.
Most specifically in that blog post "The builds will be available to all other update servers within one hour of this posting." and "The patch will be available in builds 11.18.2 and greater "

Which was yesterday.
11.18 isnt the edge release?

What are we waiting for then exactly, im lost?
Are we waiting for the next secure upgrade of Cpanel... which could be what weeks/months away?

[Dotable Steve]

James,

If you want Horde re-activating on the your VPS, just drop a ticket into the helpdesk. Ranting here isn't doing anyone any good.

Horde will be turned back on, on our servers when we verify everything is fixed. If you want to opt out of us acting upon your behalf and disabling root exploits on your VPS, let us know that in the ticket as well.

[Reesy]

Hello Steve,
All im asking is that you should really give more information, it doesnt take 20 seconds to type a reason and to pull the plug and give nothing I think is unnaceptable.
I should not have to go searching the net for possible information and explanations as to your actions because you havent given basic information.
I have no problem with you shutting the whole server down for days on end as long as you tell us why, and when it will be back up.

Simple communication mate

[Dotable Steve]

Horde webmail is patched and now turned back on.

[Aussie Bob]

Quote:

Originally Posted by Reesy

Hello Steve,
All im asking is that you should really give more information, it doesnt take 20 seconds to type a reason and to pull the plug and give nothing I think is unnaceptable.

It's very sensitive, especially when this is a root breach. I'm not sure you're grasping the severity of this exploit. We're not talking about a small exploit here, but an exploit that gives full root access to the server. We can't say too much as this could put other hosts at risk who haven't disabled Horde.

Steve's not going to go into detail about the exploit, as this would be very careless and irresponsible, so there's good reasons for him saying as little as possible about the exploit as possible. I'm sure you can appreciate a certian amount of discretion in a situation such as this.

Anyhoooo, Steve's comfortable with their patch and Horde has now been reactivated across our server fleet so I'm closing this thread.