Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6113 to the following vulnerability: The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data. References: [1] http://openwall.com/lists/oss-security/2013/01/18/6 [2] http://git.php.net/?p=php-src.git;a=commit;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e [3] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793 [4] https://bugs.php.net/bug.php?id=61413
I think this doesn't affects php (RHEL-6) nor php53 (RHEL-5) which are 5.3.3 based. According to CVE, issue was introduced, int php-5.3.9, by http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb After check, this is not applied in any of our patches.
Statement: Not Vulnerable. This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of php53 as shipped with Red Hat Enterprise Linux 5.
This issue did NOT affect the versions of the php package, as shipped with Fedora release of 16, 17, and 18.