Suhosin
Re: Suhosin
Scott:
One related question about the security issues addressed in 5.4.45. From an earlier PHP release (but after the 5.4.45 EOL release), there was:
Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)
related to phar. Did those impact the atomic 5.4.45 build (not sure if already patched)?
Thanks.
One related question about the security issues addressed in 5.4.45. From an earlier PHP release (but after the 5.4.45 EOL release), there was:
Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)
related to phar. Did those impact the atomic 5.4.45 build (not sure if already patched)?
Thanks.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Suhosin
Yes those are resolved as backports in both the 5.3 and 5.4 branches. In addition there are 4 more vulnerabilities resolved that do not currently have a CVE number:
- Security fix PHP Bugid #70728
- Security fix PHP Bugid #70741
- Security fix PHP Bugid #70661
- Security fix PHP Bugid #70755 <- extremely serious.
This last issue, 70755 would allow a remote user to execute arbitrary code on a system configured to run PHP in FPM mode. The ASL kernel defends against all of the above mentioned bug ID's.
In addition all 6 of the referenced security issues are not fixed in Redhat/Centos's distribution of PHP 5.3 (el6) or 5.4 (el7) at this time.
- Security fix PHP Bugid #70728
- Security fix PHP Bugid #70741
- Security fix PHP Bugid #70661
- Security fix PHP Bugid #70755 <- extremely serious.
This last issue, 70755 would allow a remote user to execute arbitrary code on a system configured to run PHP in FPM mode. The ASL kernel defends against all of the above mentioned bug ID's.
In addition all 6 of the referenced security issues are not fixed in Redhat/Centos's distribution of PHP 5.3 (el6) or 5.4 (el7) at this time.
Re: Suhosin
Great, thanks for the information/clarification.