Red Hat Bugzilla – Bug 101843
[RFE] RHN not distributing current and "secure" PHP 4.3.2
Last modified: 2007-04-18 12:56:42 EDT
Description of problem: RHN's current version of the PHP php-4.2.2-8.0.8. This version has a number of security vulnerabilities and fails a number of security tests. The current distribution of PHP is 4.3.2 (released May 29, 2003). Please make the most current, most secure version of PHP products available through RHN. It concerns me that I'm paying for a service that does not keep pace with stable releases. Version-Release number of selected component (if applicable): php-4.2.2-8.0.8 How reproducible: Every time Steps to Reproduce: 1. rpm -qa |grep php 2. Nessus and Nikto scans 3. Publicly available security advisories Actual results: -The mail() function does not properly sanitize user input. This allows users to forge email to make it look like it is coming from a different source other than the server. -The new POST handling system in PHP 4.2.0 and 4.2.1 has a bug which allows an attacker to disable the remote server or to compromise it. -There is a flaw in this version which may allow an attacker who has the ability to inject an arbitrary argument to the function socket_iovec_alloc() to crash the remote service and possibly to execute arbitrary code. For this attack to work, PHP has to be compiled with the option --enable-sockets (which is disabled by default), and an attacker needs to be able to pass arbitrary values to socket_iovec_alloc(). Other functions are vulnerable to such flaws : openlog(), socket_recv(), socket_recvfrom() and emalloc() Expected results: Additional info: PHP released version 4.3.2 on May 29, 2003. Prior to that, other versions were released since 4.2.2.
See bug #101784 *** This bug has been marked as a duplicate of 101784 ***
Whoops, this is for PHP not httpd. Reopening.
It has been brought to my attention that the problem relating to the malformed POST is a high risk problem (i.e. an attacker can disable or compromise the system). Please treat this high risk security threat accordingly.
I've just been directed to Security Focus which lists this vulnerability as low. Nevertheless, the vulnerability has been known for over a year and clearly is overdue for being addressed.
The issues you have listed are: CAN-2002-0986 mail function - this issue is fixed by a backported security fix applied to Red Hat packages of PHP since 4.2.2-15 (for Red Hat Linux 7.1-7.3 this was covered by a security errata in 2002, for Red Hat Linux 8.0 and 9 the packages we shipped had this error). CAN-2002-0717 PHP post function - this issue is reported to only affect PHP version 4.2.1 and 4.2.0, therefore 4.2.2 is not vulnerable to this issue CAN-2003-0166 socket error - this issue only applies if PHP is compiled with --enable-sockets which the Red Hat packages are not Also see http://www.redhat.com/advice/speaks_backport.html on why we backport security fixes rather than upgrading to the latest upstream releases and how this confuses tools such as Nessus.
Unfortunatly, from the specfiles it looks like the Red Hat RPMs are actually built *with* --enable-sockets, at least on 7.3 (php-4.1.2-7.3.6.src.rpm) and 9 (php-4.2.2-17.2.src.rpm). That means that CAN-2003-0166 and CAN-2003-0172 indeed do apply. Please reopen.