New PHP Releases Fix BACKRONYM MySQL Flaw

Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL.

That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the vulnerability back in April after they noticed that MySQL was exhibited some weird behavior, namely an inability to enforce the use of SSL. The end result is that an attacker could force a client to send information over plaintext TCP rather than SSL.

“The most serious risk is posed by adversaries with passive monitoring capabilities like the NSA, intelligence agencies, or other capable attackers who may have a foothold on your network. Many MySQL clients will use a DNS hostname (eg. to connect to the database server, triggering a DNS query that may traverse monitored links on the Internet. A global passive adversary like the NSA can spoof a reply to this DNS request in order to hijack the MySQL connection, perform the downgrade, and steal/manipulate database contents,” the Duo researchers said in an FAQ on the BACKRONYM bug.

The PHP Group fixed this vulnerability in versions 5.6.11, 5.5.27, and 5.4.43.

In addition to those releases, the group also released the beta of version 7.0.0. The maintainers said that users should not deploy this version on production systems and should use it only on test systems.

“Beta 1 marks the feature complete phase. From now on, fundamental changes are not to be expected. What’s more, this release brings over 200 commits with about 25 reported bug fixes, as well as security, stability and other improvements. However it was delayed to catch up with the latest OpenSSL release issued on July 9th,” the PHP Group said in the release notes for version 7.0.0.

Suggested articles