PHP Updated to Fix Heartbleed, Other Bugs

Type threatpost
Reporter Dennis Fisher
Modified 2014-05-08T13:11:52


The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities.

The fix for the OpenSSL flaws is in both PHP 5.4.28 and 5.5.12. Both versions also include a slew of other bug fixes, one of which is for CVE-2014-0185, a privilege escalation flaw. The bug could allow an attacker to run arbitrary code in some situations.

“Both default config and compiled-in defaults of sapi/fpm lead to configurations which easily allow any user with rights to connect to a UNIX socket to run arbitrary code with the permissions of the fpm user,” a description of the bug says.

“A typical scenario for this issue:

– shared hosting environment with multiple fpm pools, running with different permissions (user1, user2, …)

– user1 can easily run code as user2 by pretending to be a FastCGI client and connecting to (e.g.) /var/run/php-fpm.user1.sock.”

Users of either version of PHP are encouraged to update to the fixed packages as soon as possible to protect themselves against potential attacks.

_ This story was updated on May 2 to clarify the OpenSSL bugs._