Administrator Posted August 21, 2013 Posted August 21, 2013 SUMMARY The PHP development team has announced the immediate availability of PHP 5.5.2. This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.6 with PHP 5.5.2 to address this issue. AFFECTED VERSIONS All versions of PHP5 before 5.5.2 SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings of these CVEs: CVE-2011-4718 – MEDIUMCVE-2013-4248 – MEDIUM PHP 5.5.2 CVE-2011-4718: A session fixation vulnerability in the Sessions subsystem in PHP, before 5.5.2, allows remote attackers to hijack web sessions by specifying a session ID. CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x (before 5.5.2) does not properly handle a null character in a domain name in the Subject Alternative Name field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificated issued by a legitimate Certification Authority. This issue is related to CVE-2009-2408. SOLUTION cPanel, Inc. has released EasyApache 3.22.6 with an updated version of PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718http://www.php.net/ChangeLog-5.php#5.5.2 For the PGP signed message, please go here. View the full article
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now