http://www.php.net/archive/2012.php#id2012-05-03-1There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years.
Code: Select all
# yum update php\*
Loaded plugins: allowdowngrade, changelog, fastestmirror, merge-conf, security
Loading mirror speeds from cached hostfile
* atomic: www7.atomicorp.com
* base: centos.mirror.transip.nl
* epel: ftp.nluug.nl
* extras: centos.mirror.transip.nl
* rpmforge: archive.cs.uu.nl
* updates: centos.mirror.transip.nl
Excluding Packages from CentOS / Red Hat Enterprise Linux 5 - atomicrocketturtle.com
Finished
Reducing ATrpms - x86_64 to included packages only
Finished
Excluding Packages from Extra Packages for Enterprise Linux 5 - x86_64
Finished
Reducing RHEL 5 - RPMforge.net - dag to included packages only
Finished
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
--> Processing Dependency: php = 5.3.10 for package: php-eaccelerator
---> Package php.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-bcmath.x86_64 0:5.3.12-5.el5.art set to be updated
--> Processing Dependency: php-cli = 5.3.10-5.el5.art for package: php
---> Package php-cli.x86_64 0:5.3.12-5.el5.art set to be updated
--> Processing Dependency: php-common = 5.3.10-5.el5.art for package: php-cli
--> Processing Dependency: php-common = 5.3.10-5.el5.art for package: php
---> Package php-common.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-devel.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-gd.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-imap.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-mbstring.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-mcrypt.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-mysql.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-pdo.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-soap.x86_64 0:5.3.12-5.el5.art set to be updated
---> Package php-xml.x86_64 0:5.3.12-5.el5.art set to be updated
--> Running transaction check
---> Package php.i386 0:5.3.10-5.el5.art set to be updated
--> Processing Dependency: libm.so.6(GLIBC_2.1) for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.4) for package: php
--> Processing Dependency: libgssapi_krb5.so.2 for package: php
--> Processing Dependency: libm.so.6(GLIBC_2.0) for package: php
--> Processing Dependency: libbz2.so.1 for package: php
--> Processing Dependency: libdl.so.2(GLIBC_2.1) for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.1.3) for package: php
--> Processing Dependency: libnsl.so.1 for package: php
--> Processing Dependency: libm.so.6 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.2) for package: php
--> Processing Dependency: libgmp.so.3 for package: php
--> Processing Dependency: libncurses.so.5 for package: php
--> Processing Dependency: libz.so.1 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.1) for package: php
--> Processing Dependency: libc.so.6 for package: php
--> Processing Dependency: libpthread.so.0(GLIBC_2.0) for package: php
--> Processing Dependency: libedit.so.0 for package: php
--> Processing Dependency: libpthread.so.0 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.3) for package: php
--> Processing Dependency: libdl.so.2 for package: php
--> Processing Dependency: libcrypt.so.1 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.3.4) for package: php
--> Processing Dependency: libk5crypto.so.3 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.2.3) for package: php
--> Processing Dependency: libssl.so.6 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.1.2) for package: php
--> Processing Dependency: libcom_err.so.2 for package: php
--> Processing Dependency: libcrypto.so.6 for package: php
--> Processing Dependency: libc.so.6(GLIBC_2.0) for package: php
--> Processing Dependency: librt.so.1 for package: php
--> Processing Dependency: libxml2.so.2 for package: php
--> Processing Dependency: libpthread.so.0(GLIBC_2.2) for package: php
--> Processing Dependency: libdl.so.2(GLIBC_2.0) for package: php
--> Processing Dependency: libkrb5.so.3 for package: php
---> Package php-cli.i386 0:5.3.10-5.el5.art set to be updated
---> Package php-common.i386 0:5.3.10-5.el5.art set to be updated
--> Processing Dependency: libcurl.so.3 for package: php-common
--> Processing Dependency: libidn.so.11 for package: php-common
--> Running transaction check
---> Package bzip2-libs.i386 0:1.0.3-6.el5_5 set to be updated
---> Package curl.i386 0:7.15.5-15.el5 set to be updated
---> Package e2fsprogs-libs.i386 0:1.39-33.el5 set to be updated
--> Processing Dependency: libdevmapper.so.1.02 for package: e2fsprogs-libs
---> Package glibc.i686 0:2.5-81.el5_8.2 set to be updated
---> Package gmp.i386 0:4.1.4-10.el5 set to be updated
--> Processing Dependency: libgcc_s.so.1 for package: gmp
--> Processing Dependency: libstdc++.so.6(CXXABI_1.3) for package: gmp
--> Processing Dependency: libgcc_s.so.1(GCC_3.0) for package: gmp
--> Processing Dependency: libstdc++.so.6 for package: gmp
--> Processing Dependency: libstdc++.so.6(GLIBCXX_3.4) for package: gmp
---> Package krb5-libs.i386 0:1.6.1-70.el5 set to be updated
--> Processing Dependency: libkeyutils.so.1 for package: krb5-libs
--> Processing Dependency: libselinux.so.1 for package: krb5-libs
--> Processing Dependency: libkeyutils.so.1(KEYUTILS_0.3) for package: krb5-libs
---> Package libedit.i386 0:3.0-2.20090923cvs.el5.art set to be updated
---> Package libidn.i386 0:0.6.5-1.1 set to be updated
---> Package libxml2.i386 0:2.6.26-2.1.15.el5_8.2 set to be updated
---> Package ncurses.i386 0:5.5-24.20060715 set to be updated
---> Package openssl.i686 0:0.9.8e-22.el5_8.3 set to be updated
---> Package zlib.i386 0:1.2.3-4.el5 set to be updated
--> Running transaction check
---> Package device-mapper.i386 0:1.02.67-2.el5 set to be updated
--> Processing Dependency: libsepol.so.1 for package: device-mapper
---> Package keyutils-libs.i386 0:1.2-1.el5 set to be updated
---> Package libgcc.i386 0:4.1.2-52.el5 set to be updated
---> Package libselinux.i386 0:1.33.4-5.7.el5 set to be updated
---> Package libstdc++.i386 0:4.1.2-52.el5 set to be updated
--> Running transaction check
---> Package libsepol.i386 0:2.0.36-1.el5.art set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================
Package Arch Version Repository Size
========================================================================================================================
Updating:
php x86_64 5.3.12-5.el5.art atomic 2.8 M
php-bcmath x86_64 5.3.12-5.el5.art atomic 40 k
php-cli x86_64 5.3.12-5.el5.art atomic 2.6 M
php-common x86_64 5.3.12-5.el5.art atomic 1.0 M
php-devel x86_64 5.3.12-5.el5.art atomic 1.3 M
php-gd x86_64 5.3.12-5.el5.art atomic 208 k
php-imap x86_64 5.3.12-5.el5.art atomic 88 k
php-mbstring x86_64 5.3.12-5.el5.art atomic 2.3 M
php-mcrypt x86_64 5.3.12-5.el5.art atomic 47 k
php-mysql x86_64 5.3.12-5.el5.art atomic 95 k
php-pdo x86_64 5.3.12-5.el5.art atomic 119 k
php-soap x86_64 5.3.12-5.el5.art atomic 278 k
php-xml x86_64 5.3.12-5.el5.art atomic 225 k
Installing for dependencies:
bzip2-libs i386 1.0.3-6.el5_5 base 37 k
curl i386 7.15.5-15.el5 base 235 k
device-mapper i386 1.02.67-2.el5 base 799 k
e2fsprogs-libs i386 1.39-33.el5 base 120 k
glibc i686 2.5-81.el5_8.2 updates 5.3 M
gmp i386 4.1.4-10.el5 base 664 k
keyutils-libs i386 1.2-1.el5 base 18 k
krb5-libs i386 1.6.1-70.el5 base 669 k
libedit i386 3.0-2.20090923cvs.el5.art atomic 80 k
libgcc i386 4.1.2-52.el5 base 97 k
libidn i386 0.6.5-1.1 base 194 k
libselinux i386 1.33.4-5.7.el5 base 77 k
libsepol i386 2.0.36-1.el5.art atomic 129 k
libstdc++ i386 4.1.2-52.el5 base 363 k
libxml2 i386 2.6.26-2.1.15.el5_8.2 updates 797 k
ncurses i386 5.5-24.20060715 base 1.1 M
openssl i686 0.9.8e-22.el5_8.3 updates 1.5 M
php i386 5.3.10-5.el5.art atomic 2.7 M
php-cli i386 5.3.10-5.el5.art atomic 2.6 M
php-common i386 5.3.10-5.el5.art atomic 992 k
zlib i386 1.2.3-4.el5 base 51 k
Transaction Summary
========================================================================================================================
Install 21 Package(s)
Upgrade 13 Package(s)
Total download size: 30 M
Is this ok [y/N]:
ASL and real time rules users are immune to this vulnerability.There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years.
http://www.php.net/archive/2012.php#id2012-05-03-1