https://bugzilla.novell.com/show_bug.cgi?id=487627 User nbetcher@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=487627#c5 Summary: PHP out of date Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: i686 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: nbetcher@gmail.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729) OpenSuSE 11.1 does not contain the most recent version of php5. In fact not even 'factory' has anything newer than 5.2.6. This poses a fairly large security problem for any openSuSE 11.1 server on the internet that is configured to use the LAMP setup due to the fact that 5.2.x releases are primarily security updates. Additionally apache2 is slightly out-of-date, but the security reports are not critical. Listed in the additional information section are the security reports from Nessus regarding the out-of-date PHP versions. Reproducible: Always Steps to Reproduce: N/A Actual Results: Security vulnerabilities Expected Results: Faster minor/patch releases and slow major releases. Less critical: PHP < 5.2.9 Multiple Vulnerabilities Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.9. Such versions may be affected by several security issues : - Background color is not correctly validated with a non true color image in function 'imagerotate()'. (CVE-2008-5498) - A denial of service condition can be triggered by trying to extract zip files that contain files with relative paths in file or directory names. - Function 'explode()' is affected by an unspecified vulnerability. - It may be possible to trigger a segfault by passing a specially crafted string to function 'json_decode()'. - Function 'xml_error_string()' is affected by a flaw which results in messages being off by one. See also : http://news.php.net/php.internals/42762 http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9 Solution : Upgrade to PHP version 5.2.9 or later. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P) Plugin output : PHP version 5.2.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.6 CVE : CVE-2008-5498 BID : 33002, 33927 Other references : OSVDB:51031, Secunia:34081 Nessus ID : 35750 Critical: PHP 5 < 5.2.7 Multiple Vulnerabilities Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.7. Such versions may be affected by several security issues : - File truncation can occur when calling 'dba_replace()' with an invalid argument. - There is a buffer overflow in the bundled PCRE library fixed by 7.8. (CVE-2008-2371) - A buffer overflow in the 'imageloadfont()' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is given. (CVE-2008-3658) - There is a buffer overflow in PHP's internal function 'memnstr()', which is exposed to userspace as 'explode()'. (CVE-2008-3659) - When used as a FastCGI module, PHP segfaults when opening a file whose name contains two dots (eg, 'file..php'). (CVE-2008-3660) - Multiple directory traversal vulnerabilities in functions such as 'posix_access()', 'chdir()', 'ftok()' may allow a remote attacker to bypass 'safe_mode' restrictions. (CVE-2008-2665 and CVE-2008-2666). - A buffer overflow may be triggered when processing long message headers in 'php_imap.c' due to use of an obsolete API call. (CVE-2008-2829) - A heap-based buffer overflow may be triggered via a call to 'mb_check_encoding()', part of the 'mbstring' extension. (CVE-2008-5557) - Missing initialization of 'BG(page_uid)' and 'BG(page_gid)' when PHP is used as an Apache module may allow for bypassing security restriction due to SAPI 'php_getuid()' overloading. (CVE-2008-5624) - Incorrect 'php_value' order for Apache configuration may allow bypassing PHP's 'safe_mode' setting. (CVE-2008-5625) - The ZipArchive:extractTo() method in the ZipArchive extension fails to filter directory traversal sequences from file names. (CVE-2008-5658) See also : http://securityreason.com/achievement_securityalert/57 http://securityreason.com/achievement_securityalert/58 http://securityreason.com/achievement_securityalert/59 http://www.sektioneins.de/advisories/SE-2008-06.txt http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html http://www.openwall.com/lists/oss-security/2008/08/08/2 http://www.openwall.com/lists/oss-security/2008/08/13/8 http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html http://bugs.php.net/bug.php?id=42862 http://bugs.php.net/bug.php?id=45151 http://bugs.php.net/bug.php?id=45722 http://www.php.net/releases/5_2_7.php http://www.php.net/ChageLog-5.php#5.2.7 Solution : Upgrade to PHP version 5.2.8 or later. Note that 5.2.7 was been removed from distribution because of a regression in that version that results in the 'magic_quotes_gpc' setting remaining off even if it was set to on. Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : PHP version 5.2.6 appears to be running on the remote host based on the following X-Powered-By response header : X-Powered-By: PHP/5.2.6 CVE : CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658 BID : 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948 Other references : OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641, OSVDB:46690, OSVDB:47796, OSVDB:47797, OSVDB:47798 Nessus ID : 35043 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.