Suhosin

Support/Development for PHP
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: Suhosin

Unread post by Imaging »

Thanks!
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: Suhosin

Unread post by Imaging »

Scott:

One related question about the security issues addressed in 5.4.45. From an earlier PHP release (but after the 5.4.45 EOL release), there was:

Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)

related to phar. Did those impact the atomic 5.4.45 build (not sure if already patched)?

Thanks.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Suhosin

Unread post by scott »

Yes those are resolved as backports in both the 5.3 and 5.4 branches. In addition there are 4 more vulnerabilities resolved that do not currently have a CVE number:

- Security fix PHP Bugid #70728
- Security fix PHP Bugid #70741
- Security fix PHP Bugid #70661
- Security fix PHP Bugid #70755 <- extremely serious.

This last issue, 70755 would allow a remote user to execute arbitrary code on a system configured to run PHP in FPM mode. The ASL kernel defends against all of the above mentioned bug ID's.

In addition all 6 of the referenced security issues are not fixed in Redhat/Centos's distribution of PHP 5.3 (el6) or 5.4 (el7) at this time.
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: Suhosin

Unread post by Imaging »

Great, thanks for the information/clarification.
Post Reply