CloudLinux - CloudLinux Blog - Beta: HardenedPHP 5.2 for EasyApache 4 released
CloudLinux OS Blog

Beta: HardenedPHP 5.2 for EasyApache 4 released

Beta: HardenedPHP 5.2  for EasyApache 4 released

The new HardenedPHP 5.2 for Easypache 4 is available from EA4 beta repository.



  • CVE-2010-1861 php: shm_put_var interruption vulnerability (MOPS-2010-009);
  • CVE-2010-2191 php: multiple interruption vulnerabilities (MOPS-2010-0[49,50,51,52,53,54,55]);
  • CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate();
  • CVE-2011-0708 php: buffer over-read in Exif extension;
  • CVE-2011-1092 php: integer overflow in shmop_read();
  • CVE-2011-1148 php: use-after-free vulnerability in substr_replace();
  • CVE-2011-1938 php: stack-based buffer overflow in socket_connect();
  • CVE-2011-2202 php: file path injection vulnerability in RFC1867 file upload filename;
  • CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure;
  • CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix;
  • CVE-2012-1172 php: $_FILES array indexes corruption;
  • CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827);
  • CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =;
  • CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h;
  • CVE-2012-2386 php: Integer overflow leading to heap-buffer overflow in the Phar extension;
  • CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client;
  • CVE-2013-6420 php: memory corruption in openssl_x509_parse();
  • CVE-2014-3597 php: multiple buffer over-reads in php_parserr;
  • CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime();
  • CVE-2014-3669 php: integer overflow in unserialize();
  • CVE-2014-3670 php: heap corruption issue in exif_thumbnail();
  • CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing;
  • CVE-2014-5120 php: gd extension NUL byte injection in file names;
  • CVE-2014-9425 php: Double-free in zend_ts_hash_graceful_destroy();
  • CVE-2014-9705 php: heap buffer overflow in enchant_broker_request_dict();
  • CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow;
  • CVE-2015-2301 php: use after free in phar_object.c;
  • CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23);
  • CVE-2015-2331 libzip: integer overflow when processing ZIP archives;
  • CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name;
  • CVE-2015-2783 php: buffer over-read in Phar metadata parsing;
  • CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/;
  • CVE-2015-3329 php: buffer overflow in phar_set_inode();
  • CVE-2015-3330 php: pipelined request executed in deinitialized interpreter under httpd 2.4;
  • CVE-2015-3411 php: missing null byte checks for paths in various PHP extensions;
  • CVE-2015-3412 php: missing null byte checks for paths in various PHP extensions;
  • CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name;
  • CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing;
  • CVE-2015-4024 php: multipart/form-data request parsing CPU usage DoS;
  • CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+;
  • CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character;
  • CVE-2015-4147 php: SoapClient's __call() type confusion through unserialize();
  • CVE-2015-4148 php: SoapClient's do_soap_call() type confusion after unserialize();
  • CVE-2015-4598 php: missing null byte checks for paths in DOM and GD extensions;
  • CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unserialize() with various SOAP methods;
  • CVE-2015-4602 php: Incomplete Class unserialization type confusion;
  • CVE-2015-4603 php: exception::getTraceAsString type confusion issue after unserialize;
  • CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath;
  • CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar;
  • CVE-2015-6835 php: use-after-free vulnerability in session deserializer;
  • CVE-2015-6836 php: SOAP serialize_function_call() type confusion;
  • CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class;
  • CVE-2015-8879 php: odbc_bindcols function mishandles driver behavior for SQL_WVARCHAR columns;
  • CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd;
  • CVE-2016-4343 php: Uninitialized pointer in phar_make_dirstream();
  • CVE-2016-4537 CVE-2016-4538 php: bcpowmod accepts negative scale causing heap buffer overflow corrupting _one_ definition;
  • CVE-2016-4540 CVE-2016-4541 php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used;
  • CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input;
  • CVE-2016-5093 php: improper nul termination leading to out-of-bounds read in get_icu_value_internal;
  • CVE-2016-5094 php: Integer overflow in php_html_entities();
  • CVE-2016-5399 php: Improper error handling in bzread();
  • CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow;
  • CVE-2016-5772 php: Double Free Corruption in wddx_deserialize;
  • CVE-2016-6288 php: Buffer over-read in php_url_parse_ex;
  • CVE-2016-6289 php: Integer overflow leads to buffer overflow in virtual_file_ex;
  • CVE-2016-6290 php: Use after free in unserialize() with Unexpected Session Deserialization;
  • CVE-2016-6291 php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE;
  • CVE-2016-6294 php: Out-of-bounds access in locale_accept_from_http;
  • CVE-2016-6296 php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c;
  • CVE-2016-6297 php: Stack-based buffer overflow vulnerability in php_stream_zip_opener;
  • CVE-2016-7413 php: Use after free in wddx_deserialize;
  • CVE-2016-7414 php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile;
  • CVE-2016-7416 php: Stack based buffer overflow in msgfmt_format_message;
  • CVE-2016-7418 php: Null pointer dereference in php_wddx_push_element;
  • CVE-2016-8670 gd, php: Stack based buffer overflow in dynamicGetbuf.

Note: There is no FPM support in ea-php52 for now.

To install run the command:

yum install ea-php52* --exclude=ea-php52-php-recode,ea-php52-php-ioncube5,ea-php52-php --enablerepo=cl-ea4-testing


Public beta for Imunify360 and Imunify Sensor is o...
Happy Holidays from the CloudLinux Team!

By accepting you will be accessing a service provided by a third-party external to

EU e-Privacy Directive

We use cookies to ensure you get the best experience using our website and services. Read more about it in our Privacy Policy. Please agree to the use of cookies to proceed. Alternatively, you may disable cookies in your browser at any time.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.