CloudLinux OS Blog - Six vulnerabilities for PHP 5.4 found, more to come - and HardenedPHP will protect from them all
CloudLinux OS Blog

Six vulnerabilities for PHP 5.4 found, more to come - and HardenedPHP will protect from them all

Six vulnerabilities for PHP 5.4 found, more to come - and HardenedPHP will protect from them all

PHP 5.4 had a good run. Today’s still one of the most popular versions was first released in March 2012, but as of September 2015 PHP.net community is no longer providing security fixes for it.

Of course, most sites can just upgrade to a more recent version, but not all. There are some backward incompatible changes that will require site owners to acquire developer help and rewrite some sections of their site.

It took less than three weeks after PHP.net community stopped providing fixes for PHP 5.4 to become obsolete. New PHP.net release on October 1, 2015 included disclosure of two security vulnerabilities - these vulnerabilities were fixed in PHP 5.5, but left open in PHP 5.4.

  • Fixed bug #69720 CVE-2015-7803 (Null pointer dereference in phar_get_fp_offset()).
  • Fixed bug #70433 CVE-2015-7804 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").

The recent PHP.net release on January 7, 2016 added another 4 vulnerabilities that are now known to the hackers:

  • Bug #70661: Use After Free Vulnerability in WDDX Packet Deserialization
  • Bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
  • Bug #70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
  • Bug #70755: fpm_log.c memory leak and buffer overflow


Now what? HardenedPHP feature of CloudLinux OS can protect from all these vulnerabilities. If you are using CloudLinux PHP Selector, you don’t have to worry about these issues, and all the upcoming ones - PHP Selector already includes HardenedPHP feature by default. You can feel secure because we backported those fixes to PHP 5.4, as well as all unsupported versions of PHP 4.4.9 and higher currently making up more than 80% of PHP-ran sites.

If you don’t have PHP Selector enabled on your CloudLinux OS servers, here is how to get it done now: http://docs.cloudlinux.com/index.html?installation.html

Beta: Alt-PHP updated
Fix for quota inside the container vzkernel-2.6.32...
 

Comments 3

Guest - Petar on Saturday, 06 February 2016 06:16

I hope you will not abandon the PHP Selector after EA4 MultiPHP as discussed in the forums.
I really doubt Cpanel will implement such great features in MultiPHP anytime soon.

I hope you will not abandon the PHP Selector after EA4 MultiPHP as discussed in the forums. I really doubt Cpanel will implement such great features in MultiPHP anytime soon.
WisiKlo WisiKlo on Saturday, 06 February 2016 22:53

We are working hard to make HardenedPHP available with EA4 MultiPHP. It should be ready by the end of this month.
We will not abandon PHPSelector until its feature set is fully covered by MultiPHP, and people switch to MultiPHP.

We are working hard to make HardenedPHP available with EA4 MultiPHP. It should be ready by the end of this month. We will not abandon PHPSelector until its feature set is fully covered by MultiPHP, and people switch to MultiPHP.
Guest - Scott Neader on Monday, 08 February 2016 19:30

I had the same concern as Petar, and I'm very glad to hear your plan, Igor. I think EA4 is a long way from being "production" so we appreciate your continued support of PHPSelector.

- Scott

I had the same concern as Petar, and I'm very glad to hear your plan, Igor. I think EA4 is a long way from being "production" so we appreciate your continued support of PHPSelector. - Scott
Already Registered? Login Here
Guest
Friday, 20 September 2019

Captcha Image