Newsroom

Security Advisory 2013-08-21

SUMMARY

The PHP development team has announced the immediate availability of PHP 5.5.2. This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.6 with PHP 5.5.2 to address this issue.

AFFECTED VERSIONS

All versions of PHP5 before 5.5.2

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings of these CVEs:

CVE-2011-4718 – MEDIUM
CVE-2013-4248 – MEDIUM

PHP 5.5.2

CVE-2011-4718: A session fixation vulnerability in the Sessions subsystem in PHP, before 5.5.2, allows remote attackers to hijack web sessions by specifying a session ID.

CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x (before 5.5.2) does not properly handle a null character in a domain name in the Subject Alternative Name field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificated issued by a legitimate Certification Authority. This issue is related to CVE-2009-2408.

SOLUTION

cPanel, Inc. has released EasyApache 3.22.6 with an updated version of PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718
http://www.php.net/ChangeLog-5.php#5.5.2

For the PGP signed message, please go here.