PHP Updated to Fix OpenSSL Flaws, Other Bugs

The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL.

The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities.

The fix for the OpenSSL flaws is in both PHP 5.4.28 and 5.5.12. Both versions also include a slew of other bug fixes, one of which is for CVE-2014-0185, a privilege escalation flaw. The bug could allow an attacker to run arbitrary code in some situations.

“Both default config and compiled-in defaults of sapi/fpm lead to configurations which easily allow any user with rights to connect to a UNIX socket to run arbitrary code with the permissions of the fpm user,” a description of the bug says.

“A typical scenario for this issue:

– shared hosting environment with multiple fpm pools, running with different permissions (user1, user2, …)

– user1 can easily run code as user2 by pretending to be a FastCGI client and connecting to (e.g.) /var/run/php-fpm.user1.sock.”

Users of either version of PHP are encouraged to update to the fixed packages as soon as possible to protect themselves against potential attacks.

 This story was updated on May 2 to clarify the OpenSSL bugs.

Suggested articles

Cybercrime Getting More Sophisticated: How to Protect Your Business?

Attackers continuously expand their capabilities and take advantage of limited cybersecurity awareness among businesses. With multiple attack vectors, they sabotage or bypass the victim’s security strengths while targeting their weaknesses. Hence it is more crucial than ever to have a Next-gen WAF.

Discussion

  • Royce Williams on

    Dennis, can you provide more detail on the Heartbleed-specific updates to PHP? The change log only refers to these two OpenSSL-specific fixes, but they do not appear to be Heartbleed-related: https://bugs.php.net/bug.php?id=66942 https://bugs.php.net/bug.php?id=66952

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.