The PHP team has announced PHP 5.4.3 and 5.3.13, fixing two separate security issues.
- CVE-2012-2311 and CVE-2012-1823 are both fixed now. These are the CVE numbers for the PHP-CGI bug that has been announced by Eindbazen last week, and extensively covered by myself in various posts.
- In addition, CVE-2012-2329 has been fixed, another issue in PHP-CGI. This was a heap overflow triggered by specially crafted HTTP headers and a script executing apache_request_headers().
I have tested my own exploit against the new version (5.4 only, I have no 5.3 setup) and there does not seem to be a possibility to exploit the vectors opened in CVE-2012-2311 and CVE-2012-1823. These issues seem to be fixed now.
I have no exploit code for CVE-2012-2329, so I cannot make a statement if it is fixed yet. Update: I have tested Georg Wicherski’s PoC exploit against 5.4.3 and it seems that CVE-2012-2329 is now also fixed.
Read the announcement here: PHP 5.4.3/5.3.13 release announcement
The download page for PHP 5.4.3 is here, the download for 5.3.13 is over here.
Two versions of PHP were just released and fix different security issues. With that, I think the problems that caused a stir last week are now fixed. Read more here: PHP 5.4.3 and 5.3.13 fix several security issues. Further reading on php.net: Relea
Tracked: May 08, 21:48
Tracked: May 09, 17:35
Tracked: May 09, 19:25
Tracked: May 09, 20:19
Heute gibt es mal wieder eine bunte Mischung an Kommentaren: Apple erlaubt keine Virenscanner im App-Store, es gibt Angriffe auf die PHP-CGI-Schwachstelle, Yahoo! veröffentlicht einen privaten Schlüssel, eine Verbesserung für TLS soll
Tracked: May 29, 07:38