Newsroom

Security Advisory 2013-08-26

SUMMARY

The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in the OpenSSL module and a compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 or PHP 5.4.19. cPanel has released EasyApache 3.22.7 with PHP 5.5.3 and 5.4.19 to address this issue.

AFFECTED VERSIONS

All versions of PHP5.5 before 5.5.3 and PHP5.4 before 5.4.19.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-4248 – MEDIUM

PHP 5.5.3

Fixed UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248.

PHP 5.4.19

Fixed UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248.

SOLUTION

cPanel, Inc. has released EasyApache 3.22.7 with updated versions of PHP5.4 and PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run.

For the PGP signed message, please go here.