In January 2015, Red Hat Product Security addressed the CVE-2015-0204 vulnerability in OpenSSL with this advisory: RHSA-2015-0066. The vulnerability was rated as
having a Moderate impact. This vulnerability is now being referred to as FREAK in the press.

Background Information

OpenSSL clients accepted EXPORT-grade (insecure) keys even when the client had not initially asked for them. This could be exploited using a man-in-the-middle attack,
which would intercept the client's initial request for a standard key and ask the server for an EXPORT-grade key. The client would then accept the weak key, allowing
the attacker to factor it and decrypt communication between the client and the server.

Impact

While the use of EXPORT-grade ciphers is disabled by default in OpenSSL shipped with the latest versions of Red Hat Enterprise Linux (6.6 and 7.0), it can be enabled
by applications that utilize the OpenSSL library. For this reason, the vulnerability is considered to affect all Red Hat Enterprise Linux 6 and 7 systems, including
the Server, Workstation, Desktop, and HPC Node variants, that have not installed the fixed version of OpenSSL packages.

The version of OpenSSL shipped with Red Hat Enterprise Linux 5 is also affected. As Red Hat Enterprise Linux 5 is now in the Production 3 phase of the support and
maintenance life cycle, during which only Critical security advisories are provided, this issue is currently not planned to be addressed in future updates.

Resolution

To eliminate the possibility of exploitation, install the updated OpenSSL packages that have been made available through this advisory: RHSA-2015-0066.

To install the updates, use the yum package manager as follows:

yum update

To only update the OpenSSL package and its dependencies, use:

yum update openssl

We have deployed updates to all servers which has ntServerGuard installed. Servers without ntServerGuard are being patched/updated manually.

You can check the freak vulnerability using the following link "http://www.nagios.com/freak-vulnerability-tester"

If you find your server still has this vulnerability, please feel free to contact our support ASAP.

GHOST Vulnerability ( CVE-2015-0235 )

On 27 January 2015, a vulnerability in all versions of the GNU C library (glibc) was announced by Qualys. The issue was a buffer overflow during DNS hostname resolution. Disclosure of this issue was coordinated with the various operating system vendors and patches were made available by RedHat soon after the initial announcement went out.

Impact
According to Qualys, this vulnerability allows unauthenticated remote code execution in any daemons or services that perform hostname lookups using the vulnerable functions in the GNU C library. This library is at the core of most services and software that runs on Linux systems

The updated RPMs provided by RedHat, CentOS and CloudLinux should contain a changelog entry with the CVE number. You can check for this changelog entry with the following command:

rpm -q --changelog glibc | grep CVE-2015-0235

Please read more about this at the following URLs.

https://documentation.cpanel.net/display/CKB/CVE-2015-0235+GHOST

http://www.openwall.com/lists/oss-security/2015/01/27/9
https://rhn.redhat.com/errata/RHSA-2015-0090.html
https://rhn.redhat.com/errata/RHSA-2015-0092.html
http://cloudlinux.com/blog/clnews/glibc-ghost-remote-vulnerability-cve20150235.php

We have deployed updates to all servers which has ntServerGuard installed. Servers without ntServerGaurd are being patched/updated manually.

If you find your server still has this vulnerability, please feel free to contact our support team ASAP.

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

Please read more about this at the following URLs.

https://access.redhat.com/node/1232123

http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/

We have deployed configuration changes to all servers which has ntServerGuard installed to disable SSLv3. Servers without ntServerGaurd are being patched manually.

If you find your server still has this vulnerability, please feel free to contact our support team ASAP.

UPDATE

* Patched OpenSSL package is relased already. For cPanel servers, package will be updated along with UPCP. We have pushed the update via ntSG already. 

There is  a reported vulnerability for BASH on RHEL based distributions. This affetcs the following versions 

Red Hat Enterprise Linux 4/5/6/7

CentOS 4/5/6/7

Please read more about it at https://access.redhat.com/articles/1200223

We have pushed the patch for this vulnerability to whole servers that we directly manage via ntServerGuard. The patch will be applied to whole servers with ntServerGuard in next few hours. For servers running without ntServerGuard, we have pushed updates manually. If you notice BASH is older on your server, please feel free to contact support. 

PS :- We are aware that the security flaw is not completely fixed yet. We will keep an eye on it  and we will deploy the changes as soon as the update is available.

WHAT WE HAVE DONE TO THIS

===========================

1. Deployed the BASH update to all servers as soon as the initial patch was available

2. When news were coming out saying it was an incomplete patch, mod_sec rule recommended by RedHat was deployed via ntServerGuard to prevent exploit via HTTP

3. When complete fix was availale, pushed the update via ntServerGuard

There is a security update for OpenSSL, which is marked as critical and recoemmended to update as soon as possible. You can read more about this at http://www.openssl.org/news/secadv_20140605.txt.

All the servers which come under Per Server Managed Plan are patched already

We are now pushing updates to the other managed servers now. Please email support[at]nixtree.com, if you need to know whether the update has been pushed to your servers already.