PHP ELS Archives - TuxCare

Owner-initiated Cybersecurity Supply Chain Attacks

Supply chain attacks come in all forms and shapes. One example is taking over legitimate accounts to deploy malicious code into widely used libraries. Another is deploying changes during compilation through malicious tooling. 

We could carry on – think about mislabeled content intent on tricking unwary users, or additional files added that subvert application behavior. 

But, another particularly malicious supply chain attack perpetrated by the actual code owner or the original developer behind the code is emerging – and it’s proving to be incredibly disruptive. 

A new, dangerous supply chain threat

This attack vector emerged early in 2022 when developers realized that a couple of very widely used libraries (“faker.js” and “colors.js”) had been tampered with to include code that was unrelated to the original intent of these libraries.

Worse, the “additional” code was breaking the applications relying on it by creating an infinite loop in the code. Because the code for these libraries is open and hosted in public repositories it was possible to analyze the commits and identify who had added that malicious code. 

The developer community was disconcerted to find that the code was added by the original developer. 

Apparently unhappy with not being able to monetize the time he expended in developing the code, and how it was being used by so many developers, the developer decided to sabotage his own libraries.

Sabotage that impacts millions

It might sound like it’s nothing – it’s the developer’s code, after all. But to put it all into context, the affected libraries had an aggregate of 25 million downloads… not across their useful lifetime, but every single week. 

The politics of open source and how open source is monetized – including the steps a developer can take to address it – is really an entire article in and of itself, and opinions can vary a lot. But, for obvious reasons, the backlash around a developer tampering with code used by millions was immense. 

In fact, GitHub, where the code is hosted, suspended the developer’s account (though GitHub restored it a few days after). The developer claimed to have hundreds of projects, not only in those two libraries but of course, the two libraries in question have an immense following. 

Malicious action with real impact on developers

The libraries ended up being blocked from distribution, the code was reverted, and new libraries were created to replace the functionality.

What this meant for developers using those libraries was the extra work of checking code, updating it, and changing dependencies. One individual’s actions led to extra testing and all the other tasks that are necessary to ensure proper software execution. Countless work hours were spent on responding to a malicious actor, hours that could have been more productively used elsewhere.

It was deliberate action by a single developer that affected thousands of applications. But there are other situations where it’s not deliberate, but it nonetheless comes from the source, the developer. Or, at least, the developer’s account.

A compromised git server

Just a couple of months after that, in March, the git server holding the code for the most popular web server programming language, PHP, was compromised. Yes, you read the right, the PHP Team’s official PHP git repository was tampered with.

Attackers managed to change the source code for PHP 8.1 and introduce malicious commits into the system under the guise of “typo fixes”, which hid malicious code that, if successfully integrated into the PHP codebase, would disseminate to millions of PHP deployments and create a backdoor in millions of internet-facing websites and services written in PHP.

How did it happen? Git is a great tool, but it has a flaw where it is possible to sign code commits as someone else. Another person reviewing the code edits may then be fooled into thinking that the edits were made by, say, the main project developer. 

The result is that any review could rely heavily on trust – the trust that the right person edited the code and made acceptable changes. Reviews can therefore be less stringent, allowing malicious code to slip under the radar undetected. 

And it’s not just PHP…

The malicious code added to PHP 8.1 was detected and the commits were rejected, so the code never made it into the PHP codebase millions use every day. Yet the problem it created led the team to move from its own git repository to GitHub.

In May, Python’s ctx library and PHP’s phpass library were both compromised in an operation that the attacker claimed was simply “for research purposes”, a claim that was ultimately impossible to prove or disprove. 

In a convoluted series of steps, the attacker took over the repositories for these libraries by impersonating the original developers – taking over email addresses that no longer existed, then requesting password recovery for those accounts, and creating fake domains to validate ownership of expired ones. 

This tricked the repository hosts into giving repository administration to the attacker, who was posing as the original developer who had lost access to his own code. The attacker proceeded to include credential-stealing code in those libraries, including AWS credentials. The attacker’s claims that all the gathered credentials were deleted were also impossible to verify.

Threat actors are investing heavily in supply chain attacks

These examples shine a light on the need for a quick response to threats in the code supply chain. The threat to code supply chains is not new in and of itself. However, the attacks we’re seeing lately are different because the time invested goes much beyond the usual attack turnaround time of days or weeks.

The latest examples of compromises involve a huge amount of time to execute the compromise. In many ways it is a much more serious example of a supply chain attack, striking at the heart of code that is – blindly – used by millions of organizations around the world.

In another point that makes the matter more serious: it’s worth considering the large amount of work required to change library versions to respond to a compromise. New libraries take a considerable amount of time to execute, test and deploy each time such an event takes place. 

This is where a service like Extended Lifecycle Support for PHP and Extended Lifecycle for Python can help. TuxCare quickly provides security updates for language level issues and for related modules, which help close holes created by some of the attacks we described faster and with less work than the alternatives.

PHP Extended Lifecycle Support and cPanel integration

PHP is used to power a vast number of websites on the Internet, some of which will be hosted side-by-side on the same system. When using cPanel to manage those websites, the PHP Extended Lifecycle Support offering will be tightly integrated into cPanel’s PHP Selector, allowing for easier configuration on a site-by-site basis.

 

Continue reading “PHP Extended Lifecycle Support and cPanel integration”

PHP Extended Lifecycle Support: A deeper look

PHP Extended Lifecycle Support provides security updates and versions if you’re interested in maintaining compatibility with existing PHP code while remaining secure against the latest language-level vulnerabilities.

 

Continue reading “PHP Extended Lifecycle Support: A deeper look”

PHP ELS fixes hundreds of security issues at launch

If you’re reading this blog regularly, you’ll already know that unremedied security vulnerabilities open the door to cyberattacks. You’ll also know how tough it is to fix some of these vulnerabilities. For example: where a vulnerability is in an older version of a programming language and you’re still relying on that older language version for important workloads.

Thankfully, that’s the challenge we’re fixing with our new PHP Extended Lifecycle Support – a critical tool that helps you run your older PHP apps safely and securely. It’s just rolled out, and you can already fix hundreds of PHP security problems with it. Let’s take a look.

What is PHP extended lifecycle support (ELS)?

PHP, like any other component of the tech stack, accumulates vulnerabilities over time. New flaws that emerge are eventually exploited in the wild, and hackers start relying on these exploits to gain access to networks – probing systems for the presence of a known vulnerability. That said, every new version of PHP brings fixes to known vulnerabilities.

Fixing these vulnerabilities is critical because, cumulatively, hundreds of unfixed vulnerabilities become a huge security hole. When the vulnerability is in a certain version of PHP, e.g. PHP 5.5, the only way to fix it is to upgrade the PHP version. But in many instances, it is not a simple process given that changes in language version can require significant code adjustments.

PHP Extended Lifecycle Support provides support for your PHP code by fixing security issues at the language level – directly in the language package. However, it does so without changing the way that language works. It means that you fix the security vulnerabilities, without changing any code in your apps and without risking your apps breaking.

Right now, our PHP ELS service already covers a very large list of vulnerabilities, across multiple different versions. For example, PHP 5.5 is still commonly used even if it’s a relatively old version of PHP – and TuxCare PHP ELS can patch it for over 220 vulnerabilities.

Do I really need it….?

Ask yourself this simple question: are you using an outdated version of PHP? Let’s say you are still using PHP 5.5. It’s a version of the language that has a couple of hundred unfixed vulnerabilities which is not something you can ignore. If it is the case that your organization cannot easily switch to an updated version of PHP then you should seriously think about our ELS service for PHP.

Besides, over time, the existing list of vulnerabilities will only continue to grow, as new ones are identified and patched. For other versions of PHP, it is a similar situation, but different vulnerabilities affect each version.

As an example, take the bug outlined here on the PHP website. It’s the first one on the list below, and it means that specially crafted code raises the privileges of a user all the way to root – and it’s because of a flaw in PHP. It’s a major security risk, but it is easy to fix this flaw – and avoid the risk – thanks to TuxCare’s PHP ELS.

That’s true for all of the bugs we list below. We provide this list to give you insight into how effective PHP ELS from TuxCare already is – and to remind you of the many PHP vulnerabilities out in the wild. The bug numbers listed below refer to the identifier shown at https://bugs.php.net/bug.php which is a repository for PHP vulnerabilities.

– Fix bug #81026: PHP-FPM oob R/W in root process leading to privilege escalation (CVE-2021-21703)
– Fix bug #79971: special character is breaking the path in xml function. (CVE-2021-21707)
– Fix bug #81305: Built-in Webserver Drops Requests With “Upgrade” Header.
– Fix bug #72595: php_output_handler_append illegal write access.
– Fix bug #81211: Symlinks are followed when creating PHAR archive.(cmb)in firebird_info_cb. (CVE-2021-21704)
– Fix bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
– Fix bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
– Fix bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)
– Fix bug #70091: Phar does not mark UTF-8 filenames in ZIP archives
– Fix bug #80719: Iterating after failed ArrayObject::setIteratorClass() causes Segmentation fault
– Fix bug #75850: Unclear error message wrt. __halt_compiler() w/o semicolon
– Fix bug #73533: Invalid memory access in php_libxml_xmlCheckUTF8
– Fix bug #66783: UAF when appending DOMDocument to element
– Fix bug #80672: Null Dereference in SoapClient. (CVE-2021-21702)
– Fix bug #73809: Phar Zip parse crash – mmap fail
– Fix bug #80366: Potential issue in ext/standard/iptc.c: Return Value Not Checked
– Fix bug #79699: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (CVE-2020-7070)
– Fix bug #80007: Potential type confusion in unixtojd() parameter parsing
– Fix bug #62890: default_socket_timeout=-1 causes connection to timeout
– Fix bug #70362: Can’t copy() large ‘data://’ with open_basedir
– Fix bug #73527: Invalid memory access in php_filter_strip
– Fix bug #74267: segfault with streams and invalid data
– Fix bug #79787: mb_strimwidth does not trim string
– Fix bug #79877: getimagesize function silently truncates after a null byte
– Fix bug #78221: DOMNode::normalize() doesn’t remove empty text nodes
– Fix bug #78875: Long variables cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #78876: Long variables in multipart/form-data cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #79497: stream_socket_client() throws an unknown error sometimes with <1s timeout
– Fix bug #79514: Memory leaks while including unexistent file
– Fix bug #79528: Different object of the same xml between 7.4.5 and 7.4.4
– Fix bug #61597: SXE properties may lack attributes and content
– Fix bug #74940: DateTimeZone loose comparison always true
– Fix bug #75673: SplStack::unserialize() behavior
– Fix bug #79200: Some iconv functions cut Windows-1258
– Fix bug #79296: ZipArchive::open fails on empty file
– Fix bug #79330: shell_exec() silently truncates after a null byte
– Fix bug #79364: When copy empty array, next key is unspecified
– Fix bug #79396: setting Date/Time during a forward DST transition
– Fix bug #79410: system() swallows last chunk if it is exactly 4095 bytes without newline
– Fix bug #79424: php_zip_glob uses gl_pathc after call to globfree
– Fix bug #79465: OOB Read in urldecode() (CVE-2020-7067)
– Fix bug #79078: Hypothetical use-after-free in curl_multi_add_handle
– Fix bug #79282: Use-of-uninitialized-value in exif (CVE-2020-7064)
– Fix bug #79329: get_headers silently truncates after a null byte (CVE-2020-7066)
– Fix bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` (CVE-2020-7060)
– Fix bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)
– Fix bug #79099: OOB read in php_strip_tags_ex (CVE-2020-7059)
– Fix bug #79221: Null Pointer Dereference in PHP Session Upload Progress (CVE-2020-7062)
– Fix bug #78793: Use-after-free in exif parsing under memory sanitizer
– Fix bug #78878: Buffer underflow in bc_shift_addsub. (CVE-2019-11046)
– Fix bug #78910: Heap-buffer-overflow READ in exif. (CVE-2019-11047)
– Fix bug #78863: DirectoryIterator class silently truncates after a nullbyte. (CVE-2019-11045)
– Fix bug #76342: file_get_contents waits twice specified timeout
– Fix bug #76859: stream_get_line skips data if used with data-generating filter
– Fix bug #78579: mb_decode_numericentity: args number inconsistency
– Fix bug #78599: env_path_info underflow can lead to RCE. (CVE-2019-11043)
– Fix bug #78380: Oniguruma 6.9.3 fixes CVEs. (CVE-2019-13224)
– Fix bug #69100: Bus error from stream_copy_to_stream
– Fix bug #75457: heap-use-after-free
– Fix bug #77946: Bad cURL resources returned by curl_multi_info_read
– Fix bug #78333: Exif crash (bus error) due to wrong alignment and invalid cast
– Fix bug #78342: Bus error in configure test for iconv //IGNORE
– Fix bug #78363: Buffer overflow in zendparse
– Fix bug #77124: FTP with SSL memory leak
– Fix bug #78192: PDO SQLite SegFault when reuse statement after schema has changed
– Fix bug #78212: Segfault in built-in webserver
– Fix bug #78222: heap-buffer-overflow on exif_scan_thumbnail
– Fix bug #78256: heap-buffer-overflow on exif_process_user_comment
– Fix bug #78279: libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)
– Fix bug #78291: Missing opcache directives
– Fix bug #77967: Bypassing open_basedir restrictions via file uris
– Fix bug #77973: Uninitialized read in gdImageCreateFromXbm
– Fix bug #77988: heap-buffer-overflow on php_jpg_get16
– Fix bug #78069: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
– Fix bug #50020: DateInterval:createDateFromString() silently fails
– Fix bug #76717: var_export() does not create a parsable value for PHP_INT_MIN
– Fix bug #77024: SplFileObject::__toString() may return array
– Fix bug #77664: Segmentation fault when using undefined constant in custom wrapper
– Fix bug #77677: WCOREDUMP not available on all systems
– Fix bug #77697: Crash on Big_Endian platform
– Fix bug #77700: Writing truecolor images as GIF ignores interlace flag
– Fix bug #77722: Incorrect IP set to $_SERVER[‘REMOTE_ADDR’] on the localhost
– Fix bug #77742: bcpow() implementation related to gcc compiler optimization
– Fix bug #77765: FTP stream wrapper should set the directory as executable
– Fix bug #77921: static.php.net doesn’t work anymore
– Fix bug #77934: php-fpm kill -USR2 not working
– Fix bug #77943: imageantialias($image, false); does not work
– Fix bug #77944: Wrong meta pdo_type for bigint on LLP64
– Fix bug #77945: Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH
– Fix bug #51068: glob:// do not support current path relative
– Fix bug #77390: feof might hang on TLS streams in case of fragmented TLS records)
– Fix bug #77396: Null Pointer Dereference in phar_create_or_parse_filename
– Fix bug #77431: SplFileInfo::__construct() accepts NUL bytes
– Fix bug #77540: Invalid Read on exif_process_SOFn
– Fix bug #77546: iptcembed broken function
– Fix bug #77563: Uninitialized read in exif_process_IFD_in_MAKERNOTE
– Fix bug #77586: phar_tar_writeheaders_int() buffer overflow
– Fix bug #77630: safer rename() procedure
– Fix bug #77242: heap out of bounds read in xmlrpc_decode()
– Fix bug #77247: heap buffer overflow in phar_detect_phar_fname_ext
– Fix bug #77269: Potential unsigned underflow in gdImageScale
– Fix bug #77270: imagecolormatch Out Of Bounds Write on Heap
– Fix bug #77371: heap buffer overflow in mb regex functions – compile_string_node
– Fix bug #77380: Global out of bounds read in xmlrpc base64 code
– Fix bug #77418: Heap overflow in utf32be_mbc_to_code
– Fix bug #66828: iconv_mime_encode Q-encoding longer than it should be
– Fix bug #76800: foreach inconsistent if array modified during loop)
– Fix bug #76901: method_exists on SPL iterator passthrough method corrupts memory
– Fix bug #76480: Use curl_multi_wait() so that timeouts are respected
– Fix bug #76832: ZendOPcache.MemoryBase periodically deleted by the
– Fix bug #75696: posix_getgrnam fails to print details of group
– Fix bug #74454: Wrong exception being thrown when using ReflectionMethod
– Fix bug #73457: Wrong error message when fopen FTP wrapped fails to open data connection
– Fix bug #74764: and add a test case
– Fix bug #76886: Can’t build xmlrpc with expat
– Fix bug #75273: php_zlib_inflate_filter() may not update bytes_consumed
– Fix bug #76505: array_merge_recursive() is duplicating sub-array keys
– Fix bug #76532: excessive memory usage in mb_strimwidth
– Fix bug #76548: pg_fetch_result did not fetch the next row
– Fix bug #76488: Memory leak when fetching a BLOB field
– Fix bug #73817: Incorrect entries in get_html_translation_table
– Fix bug #52974: jewish.c: compile error under Windows with GBK charset
– Fix bug #76665: SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn’t juggle
– Fix bug #75402: Possible Memory Leak using PDO::CURSOR_SCROLL option
– Fix bug #76335: “link(): Bad file descriptor” with non-ASCII path
– Fix bug #76704: mb_detect_order return value varies based on argument type
– Fix bug #72443: Generate enabled extension
– Fix bug #65988: Zlib version check fails
– Fix bug #68175: RegexIterator pregFlags are NULL instead of 0
– Fix bug #76296: openssl_pkey_get_public does not respect open_basedir
– Fix bug #68825: Exception in DirectoryIterator::getLinkTarget()
– Fix bug #55146: iconv_mime_decode_headers() skips some headers
– Fix bug #63839: iconv_mime_decode_headers function is skipping headers
– Fix bug #60494: iconv_mime_decode does ignore special characters
– Fix bug #68180: iconv_mime_decode can return extra characters in a header
– Fix bug #76367: NoRewindIterator segfault 11
– Fix bug #76383: array_map on $GLOBALS returns IS_INDIRECT
– Fix bug #73342: Vulnerability in php-fpm by changing stdin to non-blocking
– Fix bug #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
– Fix bug #76249: Stream filter convert.iconv leads to infinite loop on invalid sequence
– Fix bug #76248: LDAP-Server Response causes Crash
– Fix bug #76129: (CVE-2018-10547) Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file
– Fix bug #75981: Stack-buffer-overflow while parsing HTTP response
– Fix bug #75571: Potential infinite loop in gdImageCreateFromGifCtx
– Fix bug #74782: Reflected XSS in .phar 404 page
– Fix bug #74145: wddx parsing empty boolean tag leads to SIGSEGV (CVE-2017-11143)
– Fix bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal() (CVE-2017-11144)
– Fix bug #74819: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)
– Fix bug #74435: Buffer over-read into uninitialized memory (CVE-2017-7890)
– Fix bug CVE-2017-9224: Buffer Overflow in match_at() (Oniguruma issue)
– Fix bug CVE-2017-9226: Heap corruption in next_state_val() in 15 encodings (Oniguruma issue)
– Fix bug CVE-2017-9227: Bug in mbc_enc_len() (Oniguruma issue)
– Fix bug CVE-2017-9228: Heap corruption in next_state_val() due to uninitialized local variable (Oniguruma issue)
– Fix bug CVE-2017-9229: SIGSEGV in left_adjust_char_head() due to bad dereference (Oniguruma issue)
– Fix bug #74087: Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)
– Fix bug #74603: PHP INI Parsing Stack Buffer Overflow Vulnerability
– Fix bug #69090: opcache: add prefix/xor to cache keys/check permissions or separate caches
– Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
– Fix bug #73764: Crash while loading hostile phar archive (CVE-2016-10159)
– Fix bug #73768: Memory corruption when loading hostile phar (CVE-2016-10160)
– Fix bug #73825: Heap out of bounds read on unserialize in finish_nested_data() (CVE-2016-10161)
– Fix bug #68447: grapheme_extract take an extra trailing character
– Fix bug #70213: Unserialize context shared on double class lookup
– Fix bug #73549: Use after free when stream is passed to imagepng
– Fix bug #73737: FPE when parsing a tag format (CVE-2016-10158)
– Fix bug #73773: Seg fault when loading hostile phar
– Fix bug #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
– Fix bug #73869: Signed Integer Overflow gd_io.c
– Fix bug #73452: Segfault (Regression for #69152)
– Fix bug #73631: Invalid read when wddx decodes empty boolean element
– Fix bug #73356: crash in bzcompress function
– Fix bug CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf
– Fix bug #72482: Illegal write/read access caused by gdImageAALine overflow
– Fix bug #72696: imagefilltoborder stackoverflow on truecolor images
– Fix bug #73418: Integer Overflow in “_php_imap_mail” leads Heap Overflow
– Fix bug #73144: Use-after-free in ArrayObject Deserialization
– Fix bug #73192: parse_url return wrong hostname
– Fix bug #73331: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
– Fix bug #73189: Memcpy negative size parameter php_resolve_path
– Fix bug #73147: Use After Free in unserialize()
– Fix bug #73190: memcpy negative parameter _bc_new_num_ex
– Fix bug #73150: missing NULL check in dom_document_save_html
– Fix bug #73284: heap overflow in php_ereg_replace function
– Fix bug CVE-2016-7568: Integer Overflow in gdImageWebpCtx of gd_webp.c
– Fix bug #73218: stack-buffer-overflow through “ResourceBundle” methods
– Fix bug #73208: integer overflow in imap_8bit caused heap corruption
– Fix bug #73082: string length overflow in mb_encode_* function
– Fix bug #73174: heap overflow in php_pcre_replace_impl
– Fix bug #73276: crash in openssl_random_pseudo_bytes function
– Fix bug #73275: crash in openssl_encrypt function
– Fix bug #73017: memory corruption in wordwrap function
– Fix bug #73240: Write out of bounds at number_format
– Fix bug #73073: CachingIterator null dereference when convert to string
– Fix bug #73293: NULL pointer dereference in SimpleXMLElement::asXML()
– Fix bug #73052: CVE-2016-7411: Memory Corruption in During Deserialized-object Destruction
– Fix bug #72293: CVE-2016-7412: Heap overflow in mysqlnd related to BIT fields
– Fix bug #72860: CVE-2016-7413: wddx_deserialize use-after-free
– Fix bug #72928: CVE-2016-7414: Out of bound when verify signature of zip phar in phar_parse_zipfile
– Fix bug #73007: CVE-2016-7416: SEH buffer overflow msgfmt_format_message
– Fix bug CVE-2016-7417: Missing type check when unserializing SplArray
– Fix bug CVE-2016-7418: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
– Fix bug #72837: integer overflow in bzdecompress caused heap corruption (bz2)
– Fix bug #70436: Use After Free Vulnerability in unserialize() (core)
– Fix bug #72024: microtime() leaks memory (core)
– Fix bug #72633: Create an Unexpected Object and Don’t Invoke __wakeup() in Deserialization (core)
– Fix bug #72681: PHP Session Data Injection Vulnerability (core)
– Fix bug #72807: integer overflow in curl_escape caused heap corruption (curl)
– Fix bug #72838: Integer overflow lead to heap corruption in sql_regcase (ereg)
– Fix bug #72697: select_colors write out-of-bounds (gd)
– Fix bug #72730: imagegammacorrect allows arbitrary write access (gd)
– Fix bug #72708: php_snmp_parse_oid integer overflow in memory allocation (snmp)
– Fix bug #72836: integer overflow in base64_decode caused heap corruption (standard)
– Fix bug #72848: integer overflow in quoted_printable_encode caused heap corruption (standard)
– Fix bug #72849: integer overflow in urlencode caused heap corruption (standard)
– Fix bug #72850: integer overflow in php_uuencode caused heap corruption (standard)
– Fix bug #72771: ftps:// wrapper is vulnerable to protocol downgrade attack (streams)
– Fix bug #72749: wddx_deserialize allows illegal memory access (wddx)
– Fix bug #72750: wddx_deserialize null dereference (wddx)
– Fix bug #72790: wddx_deserialize null dereference with invalid xml (wddx)
– Fix bug #72799: wddx_deserialize null dereference in php_wddx_pop_element (wddx)
– Fix bug #69288: Regression introduced in fix for bug 69085 leads to a segmentation fault

Every old version of PHP will have vulnerabilities. As you can see above, it could be hundreds of vulnerabilities. But yes, you could be stuck with that PHP version for some of your applications, and it’s a tough position to be in.

Thankfully, applying TuxCare’s PHP security fixes to a workload is simple. We provide a set of packages containing the latest security fixes but backported to be compatible with the specific PHP version that you need.

Simply swap out a couple of packages and your older PHP version is fully supported. Want to test drive PHP ELS from TuxCare? Talk to an expert today!

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching