PHP Updated to Fix OpenSSL Flaws, Other Bugs

The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL.

The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities.

The fix for the OpenSSL flaws is in both PHP 5.4.28 and 5.5.12. Both versions also include a slew of other bug fixes, one of which is for CVE-2014-0185, a privilege escalation flaw. The bug could allow an attacker to run arbitrary code in some situations.

“Both default config and compiled-in defaults of sapi/fpm lead to configurations which easily allow any user with rights to connect to a UNIX socket to run arbitrary code with the permissions of the fpm user,” a description of the bug says.

“A typical scenario for this issue:

– shared hosting environment with multiple fpm pools, running with different permissions (user1, user2, …)

– user1 can easily run code as user2 by pretending to be a FastCGI client and connecting to (e.g.) /var/run/php-fpm.user1.sock.”

Users of either version of PHP are encouraged to update to the fixed packages as soon as possible to protect themselves against potential attacks.

 This story was updated on May 2 to clarify the OpenSSL bugs.

Suggested articles

Discussion

  • Royce Williams on

    Dennis, can you provide more detail on the Heartbleed-specific updates to PHP? The change log only refers to these two OpenSSL-specific fixes, but they do not appear to be Heartbleed-related: https://bugs.php.net/bug.php?id=66942 https://bugs.php.net/bug.php?id=66952

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.