102 replies to this topic

[AplusWebMaster]

FYI...

5.3.7 upgrade warning
- http://www.php.net/a...#id2011-08-22-1
22-Aug-2011 - "Due to unfortunate issues with 5.3.7 (see bug#55439*) users should -wait- with upgrading until 5.3.8 will be released (expected in few days)..."
* https://bugs.php.net/bug.php?id=55439

[AplusWebMaster]

FYI...

PHP v5.3.8 released
- http://www.php.net/a...#id2011-08-23-1
23-Aug-2011

Change Log
- http://www.php.net/C...Log-5.php#5.3.8

[AplusWebMaster]

FYI...

PHP v5.3.9 released
- http://www.php.net/a...#id2012-01-11-1
10-Jan-2012 - "The PHP development team would like to announce the immediate availability of PHP 5.3.9. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which -are- security related...

Download: http://www.php.net/downloads.php
Changelog: http://www.php.net/C...Log-5.php#5.3.9
All users are strongly encouraged to upgrade to PHP 5.3.9."

- http://web.nvd.nist....d=CVE-2011-4566 - 6.4
- http://web.nvd.nist....d=CVE-2011-4885 - 5.0
___

- http://h-online.com/-1407472
11 January 2012

Edited by AplusWebMaster, 14 January 2012 - 09:22 AM.

[AplusWebMaster]

FYI...

PHP v5.3.10 released
- http://securitytracker.com/id/1026631
Date: Feb 3 2012
CVE Reference: CVE-2012-0830
Impact: Execution of arbitrary code via network, User access via network
Version(s): 5.3.9
... This vulnerability was introduced in version 5.3.9 in the fix for CVE-2011-4885.
Impact: A remote user can execute arbitrary code on the target system.
Solution: The vendor has issued a fix (5.3.10).
... advisory is available at:
- http://www.php.net/a...#id2012-02-02-1
2-Feb-2012 - "... This release delivers a critical security fix... All users are strongly encouraged to upgrade to PHP 5.3.10...
- http://www.php.net/downloads.php

- https://secunia.com/advisories/47806/
Release Date: 2012-02-03
Criticality level: Highly critical
Impact: System access
Where: From remote ...
CVE Reference: CVE-2012-0830
... vulnerability is reported in version 5.3.9.
Solution: Update to version 5.3.10.

- http://web.nvd.nist....d=CVE-2012-0830
Last revised: 02/16/2012
CVSS v2 Base Score: 7.5 (HIGH)

Edited by AplusWebMaster, 19 February 2012 - 11:50 AM.

[AplusWebMaster]

FYI...

PHP v5.4.0 released
- http://www.php.net/a...#id2012-03-01-1
01-Mar-2012 - "... immediate availability of PHP 5.4.0. This release is a major leap forward in the 5.x series, which includes a large number of new features and bug fixes. Some of the key new features include: traits, a shortened array syntax, a built-in webserver for testing purposes and more. PHP 5.4.0 significantly improves performance, memory footprint and fixes over 100 bugs..."

- http://php.net/releases/5_4_0.php

- http://www.php.net/downloads.php

[AplusWebMaster]

FYI...

PHP v5.3.11/v5.4.1 released
- http://www.php.net/i...#id2012-04-26-1
26-Apr-2012 - Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:
> Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
> Add open_basedir checks to readline_write_history and readline_read_history.
Security Enhancement affecting PHP 5.3.11 only:
> Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).
Key enhancements in these releases include:
> Added debug info handler to DOM objects.
> Fixed bug #61172 (Add Apache 2.4 support)...

ChangeLog
- http://www.php.net/ChangeLog-5.php

Downloads
- http://www.php.net/downloads.php

___

- http://h-online.com/-1561184
27 April 2012 - "... PHP 5.4.1 has more than 20 bug fixes... PHP 5.3.11 update fixes nearly 60 bugs..."

Edited by AplusWebMaster, 27 April 2012 - 07:18 AM.

[AplusWebMaster]

FYI...

>> http://blog.spiderla...p-cgi-vuln.html
07 May 2012
___

PHP v5.3.12/v5.4.2 released
- http://www.php.net/a...#id2012-05-03-1
3-May-2012 - "There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed... A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not. To fix this, update to PHP 5.3.12 or PHP 5.4.2. We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP..."
(More detail at the URL above.)

Downloads
- http://www.php.net/downloads.php

ChangeLog
- http://www.php.net/C...Log-5.php#5.4.2
3-May-2012
___

- http://h-online.com/-1567532
3 May 2012
- http://www.kb.cert.org/vuls/id/520827
Last revised: 04 May 2012

- http://h-online.com/-1568454
4 May 2012 - "... Users can determine whether they are affected by the bug by appending the string ?-s to a URL. If the server returns PHP source code, rapid action is required. A Metasploit module which opens a remote shell for executing arbitrary code on vulnerable servers is already available."

Edited by AplusWebMaster, 08 May 2012 - 05:09 AM.

[AplusWebMaster]

FYI...

PHP v5.4.3/v5.3.13 released
- http://www.php.net/a...#id2012-05-08-1
8-May-2012 - "... immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13. The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack. PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue..."

Downloads
- http://www.php.net/downloads.php

ChangeLog
- http://www.php.net/ChangeLog-5.php

- http://web.nvd.nist....d=CVE-2012-1823 - 7.5 (HIGH)
- http://web.nvd.nist....d=CVE-2012-2311 - 7.5 (HIGH)
- http://web.nvd.nist....d=CVE-2012-2335 - 7.5 (HIGH)
- http://web.nvd.nist....d=CVE-2012-2336 - 5.0
05/11/2012 - "... before 5.3.13 and 5.4.x before 5.4.3..."
___

Critical open hole in PHP creates risks
- http://atlas.arbor.net/briefs/
Severity: High Severity
Published: Monday, May 07, 2012
A specific configuration and a PHP vulnerability opens the door for a remote attack on vulnerable installations. Public exploit code is available, increasing risks.
Analysis: Further details are provided at http://eindbazen.net...-cve-2012-1823/ and http://www.php.net/a...#id2012-05-06-1 and a more robust patch is to be released on Tuesday, May 8. The prior release did not fully resolve the problem. A Metasploit exploit was made available on May 4. Sites vulnerable to this threat need to take protective action, as the scanning activity for this is likely to be very high considering the popularity of PHP.
Source: http://h-online.com/-1570916
9 May 2012

Attackers target unpatched PHP bug allowing malicious code execution
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Thursday, May 10, 2012
PHP bug, just patched on May 8, is already being used by attackers.
Analysis: While the number of vulnerable sites may be small due to the unique configuration required, such sites could be totally compromised. System admins should also check http://blog.spiderla...by-example.html for further details on the attacks and see the patch release at http://www.php.net/a...#id2012-05-08-1 .
Source: http://arstechnica.c...code-execution/

PHP-CGI exploitation by example
- http://blog.spiderla...by-example.html
7 May 2012

PHP-CGI vuln exploited-in-the-Wild
- http://blog.sucuri.n...n-the-wild.html
May 8, 2012

- https://www.computer...I_vulnerability
May 9, 2012 - "... Dreamhost has also seen a large number of attacks trying to exploit this vulnerability, according to Trustwave researchers who exchanged information with Dreamhost's security team. In total, the Web hosting company recorded 234,076 exploit attempts against 151,275 unique domains..."

Edited by AplusWebMaster, 13 May 2012 - 08:30 AM.

[AplusWebMaster]

FYI...

PHP 5.4.4/5.3.14 released
- http://www.php.net/a...#id2012-06-14-1
14 June 2012 - "... immediate availability of PHP 5.4.4 and PHP 5.3.14. All users of PHP are encouraged to upgrade to PHP 5.4.4 or PHP 5.3.14. The release fixes multiple security issues:
A weakness in the DES implementation of crypt and a heap overflow issue in the phar extension.
PHP 5.4.4 and PHP 5.3.14 fixes over 30 bugs..."

- http://windows.php.net/download/

- http://www.php.net/downloads.php

- http://www.php.net/ChangeLog-5.php

[AplusWebMaster]

FYI...

PHP v5.4.5, 5.3.15 released
- http://www.php.net/a...#id2012-07-19-1
19-Jul-2012 - "... immediate availability of PHP 5.4.5 and PHP 5.3.15. This release fixes over 30 bugs and includes a fix for a security related overflow issue in the stream implementation. All users of PHP are encouraged to upgrade to PHP 5.4.5 or PHP 5.3.15..."

ChangeLog
- http://www.php.net/ChangeLog-5.php

- http://www.php.net/C...og-5.php#5.3.15

Download:
- http://www.php.net/downloads.php

- http://www.securityt....com/id/1027287
CVE Reference: http://web.nvd.nist....d=CVE-2012-2688 - 10.0 (HIGH)
Jul 20 2012
Impact: Execution of arbitrary code via network, User access via network
Version(s): prior to 5.3.15; 5.4.x prior to 5.4.5 ...

- http://www.securityt....com/id/1027286
CVE Reference: http://web.nvd.nist....d=CVE-2012-3365 - 5.0
Jul 20 2012 ...

Edited by AplusWebMaster, 24 July 2012 - 07:36 AM.

[AplusWebMaster]

FYI...

PHP v5.4.6, 5.3.16 released
- http://www.php.net/
16-Aug-2012 - "... immediate availability of PHP 5.4.6 and PHP 5.3.16. These releases fix over 20 bugs. All users of PHP are encouraged to upgrade..."

Download
- http://www.php.net/downloads.php

ChangeLog
- http://www.php.net/ChangeLog-5.php

[AplusWebMaster]

FYI...

PHP 5.4.7, 5.3.17 released
- http://www.php.net/
13-Sep-2012 - "... immediate availability of PHP 5.4.7 and PHP 5.3.17. These release fixes over 20 bugs. All users of PHP are encouraged to upgrade to PHP 5.4.7, or at least 5.3.17..."

Download
- http://www.php.net/downloads.php

ChangeLog
- http://www.php.net/ChangeLog-5.php

[AplusWebMaster]

FYI...

PHP 5.4.10, 5.3.20 released
- http://php.net/
20-Dec-2012 - "... immediate availability of PHP 5.4.0. This release is a major leap forward in the 5.x series, which includes a large number of new features and bug fixes... the PHP 5.3 series will enter an end of life cycle and receive only critical fixes as of March 2013. All users of PHP are encouraged to upgrade to PHP 5.4."

ChangeLog
- http://php.net/ChangeLog-5.php

- http://php.net/downloads.php

- http://windows.php.net/download/

[AplusWebMaster]

FYI...

PHP 5.4.11, 5.3.21 released
- http://php.net/
17-Jan-2013 - "The PHP development team announces the immediate availability of PHP 5.4.11 and PHP 5.3.21. These releases fix about 10 bugs. All users of PHP are encouraged to upgrade to PHP 5.4..."

ChangeLog
- http://php.net/ChangeLog-5.php

- http://php.net/downloads.php

- http://windows.php.net/download/

[AplusWebMaster]

FYI...

PHP 5.4.12 / 5.3.22 released
- http://php.net/
21-Feb-2013 - "The PHP development team announces the immediate availability of PHP 5.4.12 and PHP 5.3.22. These releases fix about 10 bugs. All users of PHP are encouraged to upgrade to PHP 5.4.12..."

ChangeLog
- http://php.net/ChangeLog-5.php

- http://php.net/downloads.php

- http://windows.php.net/download/