Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Suddenly vulnerable to old PHP GLSAs?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jarjar
Apprentice
Apprentice


Joined: 21 Jul 2002
Posts: 265
Location: Sweden

PostPosted: Mon Dec 29, 2014 8:25 am    Post subject: Suddenly vulnerable to old PHP GLSAs? Reply with quote

A few days ago, my system suddenly became vulnerable to two old PHP GLSAs (I run a emerge --sync and glsa-check during the night).

Any idea what's going on? Re-emerging PHP doesn't help, and since my version is higher than the recommended one for 5.4.x, it shouldn't be vulnerable.

Code:

This system is affected by the following GLSAs:
201411-04
201408-11

               GLSA 201411-04:
PHP: Multiple vulnerabilities               
============================================================================
Synopsis:          Multiple vulnerabilities have been discovered in PHP, the
                   worst of which could lead to remote execution of
                   arbitrary code.
Announced on:      November 09, 2014
Last revised on:   November 09, 2014 : 01

Affected package:  dev-lang/php
Affected archs:    All
Vulnerable:        <5.5.18
Unaffected:        >=5.5.18, >=~5.4.34, >=~5.3.29
[...]
                  All PHP 5.4 users should upgrade to the latest version:
                   # emerge --sync
                   # emerge --ask --oneshot --verbose
                   ">=dev-lang/php-5.4.34"
[...]

PHP: Multiple vulnerabilities               
============================================================================
Synopsis:          Multiple vulnerabilities have been discovered in PHP, the
                   worst of which could lead to remote execution of
                   arbitrary code.
Announced on:      August 29, 2014
Last revised on:   November 04, 2014 : 02

Affected package:  dev-lang/php
Affected archs:    All
Vulnerable:        <5.5.16
Unaffected:        >=5.5.16, >=~5.4.32, >=~5.3.29, >=~5.4.34
[...]
                   
                   All PHP 5.4 users should upgrade to the latest version:
                   # emerge --sync
                   # emerge --ask --oneshot --verbose
                   ">=dev-lang/php-5.4.32"
[...]

# eix -I ^php$
[I] dev-lang/php
     Available versions: 
     (5.3)  5.3.29
     (5.4)  ****5.4.36****
     (5.5)  [m]5.5.20
     (5.6)  [m]~5.6.4
       {apache2 bcmath berkdb bzip2 calendar cdb cgi cjk +cli crypt +ctype curl curlwrappers debug embed enchant exif +fileinfo +filter firebird flatfile fpm frontbase ftp gd gdbm gmp +hash +iconv imap inifile intl iodbc ipv6 +json kerberos ldap ldap-sasl libedit libmysqlclient mhash mssql mysql mysqli mysqlnd nls oci8-instant-client odbc +opcache pcntl pdo +phar +posix postgres qdbm readline recode selinux +session sharedmem +simplexml snmp soap sockets spell sqlite sqlite2 ssl sybase-ct systemd sysvipc threads tidy +tokenizer truetype unicode vpx wddx +xml xmlreader xmlrpc xmlwriter xpm xslt zip zlib}
     Installed versions:  5.4.36(5.4)(09:13:04 AM 12/29/2014)(apache2 bcmath berkdb bzip2 cli crypt ctype curl curlwrappers exif fileinfo filter flatfile ftp gd gdbm hash iconv imap ipv6 json mhash mysql nls pdo phar posix readline session simplexml sockets ssl tokenizer truetype unicode xml zlib -calendar -cdb -cgi -cjk -debug -embed -enchant -firebird -fpm -gmp -inifile -intl -iodbc -kerberos -ldap -ldap-sasl -libedit -mssql -mysqli -mysqlnd -oci8-instant-client -odbc -pcntl -postgres -qdbm -recode -selinux -sharedmem -snmp -soap -spell -sqlite -sybase-ct -systemd -sysvipc -threads -tidy -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xslt -zip)
     Homepage:            http://php.net/
     Description:         The PHP language runtime engine: CLI, CGI, FPM/FastCGI, Apache2 and embed SAPIs

_________________
[Server etc. | C2D 2.2 @ 3.0 GHz / 4 GB RAM / 3x1 TB + 1x2 TB SATA disks + 1.5 TB ext. | Gentoo]
[Laptop | Macbook Pro 15" / Core i7 (Sandy) Quad 2.2 GHz / 16 GB RAM / Samsung 840 250 GB SSD + 1 TB + 2 TB HDD / 6750M 1 GB / OS X, Win 7]
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6960

PostPosted: Mon Dec 29, 2014 9:45 am    Post subject: Reply with quote

Code:
     (5.4)  ****5.4.36****   
Vulnerable:        <5.5.18
Vulnerable:        <5.5.16


that's something for bugs.gentoo.org as glsa-check seems to not care about "Unaffected" entry list (which validate your version is not vulnerable)
Back to top
View user's profile Send private message
heiwa
n00b
n00b


Joined: 24 Oct 2012
Posts: 70

PostPosted: Mon Dec 29, 2014 10:58 am    Post subject: Reply with quote

krinn wrote:

that's something for bugs.gentoo.org as glsa-check seems to not care about "Unaffected" entry list (which validate your version is not vulnerable)


There is already https://bugs.gentoo.org/show_bug.cgi?id=533254 .
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum