Get the most out of your Centmin Mod LEMP stack
Become a Member

PHP Security PHP 7.3.1, PHP 7.2.14, PHP 7.1.26 and PHP 5.6.40 released

Discussion in 'Nginx and PHP-FPM news & discussions' started by buik, Jan 10, 2019.

Tags:
  1. buik

    buik Well-Known Member

    1,101
    282
    83
    Apr 29, 2016
    Ratings:
    +824
    Local Time:
    2:33 PM
    • Like Like x 2
  2. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    10:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    thanks for heads up .. must be kind of serious for EOL PHP 5.6 to get a 5.6.40 update
    Code (Text):
    10 Jan 2019, PHP 5.6.40
    - GD:
    . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
    use-after-free). (cmb)
    . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
    
    - Mbstring:
    . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
    . Fixed bug #77371 (heap buffer overflow in mb regex functions
    - compile_string_node). (Stas)
    . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
    . Fixed bug #77382 (heap buffer overflow due to incorrect length in
    expand_case_fold_string). (Stas)
    . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
    . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
    . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
    
    - Phar:
    . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
    
    - Xmlrpc:
    . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
    . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
    
     
  3. buik

    buik Well-Known Member

    1,101
    282
    83
    Apr 29, 2016
    Ratings:
    +824
    Local Time:
    2:33 PM
    And this is the biggest problem with the current PHP cycle. There is no LTS version.
    PHP cycle is to short.

    With customized software, you can't always upgrade.
    Even if you really want to.

    Fortunately, there are always alternatives from third parties :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    10:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    LTS sometimes is a myth - software and code is ever evolving and it depends on the environment it operates in and that can change over time with factors outside the LTS developers control.
     
  5. buik

    buik Well-Known Member

    1,101
    282
    83
    Apr 29, 2016
    Ratings:
    +824
    Local Time:
    2:33 PM
    LTS for me is the key factor just like the Linux kernel.

    Edge and LTS.

    Something for everyone.

    Based on Edge (Fedora) or LTS code (RHEL), a supplier such as Red Hat can then offer a product within a controlled environment with hard guarantees.

    Again something for everyone.
     
    • Informative Informative x 1
  6. Revenge

    Revenge Active Member

    441
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +332
    Local Time:
    1:33 PM
    1.9.x
    10.1.x
    5.6.40 is official from PHP team or is a security backport from Remi. If im not mistaken, Remi does that for some time with EOL versions.
     
  7. buik

    buik Well-Known Member

    1,101
    282
    83
    Apr 29, 2016
    Ratings:
    +824
    Local Time:
    2:33 PM
    From the PHP team.
    5.6 apparently has a serious problem, since it is EOL.
    You rarely see this kind of releases after EOL.
     
  8. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    10:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yup PHP: News Archive - 2019

     
  9. buik

    buik Well-Known Member

    1,101
    282
    83
    Apr 29, 2016
    Ratings:
    +824
    Local Time:
    2:33 PM
    not related to Common Vulnerabilities and Exposures (CVE) as can be reviewed over here PHP PHP : List of security vulnerabilities

    It seems to me that it is important but not urgent. Otherwise it was certainly mentioned at CVE or the PHP changelog with CVE-number.
     
    Last edited: Jan 12, 2019
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    10:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yeah maybe they want it fixed before releasing CVE number ? heh
     
  11. Meirami

    Meirami Member

    128
    15
    18
    Dec 21, 2017
    Ratings:
    +41
    Local Time:
    3:33 PM
    I updated to 7.2.14 and got 502 error.

    Open php-fpm.conf
    Change
    Code:
    ;include=/usr/local/nginx/conf/phpfpmd/*.conf
    To
    Code:
    include=/usr/local/nginx/conf/phpfpmd/*.conf
    And it works again.
    (this for people who don't have time to search reason for 502) :D

    There may be other changes too...
     
  12. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    10:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    did you get a prompt to overwrite php-fpm.conf ? it could be you have custom settings and overwriting reset them.
     
  13. Meirami

    Meirami Member

    128
    15
    18
    Dec 21, 2017
    Ratings:
    +41
    Local Time:
    3:33 PM
    I'm quite sure, I didn't get prompt about overwrite.
     
..