The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities.
The fix for the OpenSSL flaws is in both PHP 5.4.28 and 5.5.12. Both versions also include a slew of other bug fixes, one of which is for CVE-2014-0185, a privilege escalation flaw. The bug could allow an attacker to run arbitrary code in some situations.
“Both default config and compiled-in defaults of sapi/fpm lead to configurations which easily allow any user with rights to connect to a UNIX socket to run arbitrary code with the permissions of the fpm user,” a description of the bug says.
“A typical scenario for this issue:
- shared hosting environment with multiple fpm pools, running with different permissions (user1, user2, …)
- user1 can easily run code as user2 by pretending to be a FastCGI client and connecting to (e.g.) /var/run/php-fpm.user1.sock.”
Users of either version of PHP are encouraged to update to the fixed packages as soon as possible to protect themselves against potential attacks.
This story was updated on May 2 to clarify the OpenSSL bugs.