-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 SUMMARY The PHP development team has announced the immediate availability of PHP 5.5.2. This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release. cPanel has released EasyApache 3.22.6 with PHP 5.5.2 to address this issue. AFFECTED VERSIONS All versions of PHP5 before 5.5.2 SECURITY RATING The National Vulnerability Database (NIST) has given the following severity ratings of these CVEs: CVE-2011-4718 - MEDIUM CVE-2013-4248 - MEDIUM PHP 5.5.2 CVE-2011-4718: A session fixation vulnerability in the Sessions subsystem in PHP, before 5.5.2, allows remote attackers to hijack web sessions by specifying a session ID. CVE-2013-4248: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x (before 5.5.2) does not properly handle a null character in a domain name in the Subject Alternative Name field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificated issued by a legitimate Certification Authority. This issue is related to CVE-2009-2408. SOLUTION cPanel, Inc. has released EasyApache 3.22.6 with an updated version of PHP5.5 to correct these issues. Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. REFERENCES http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718 http://www.php.net/ChangeLog-5.php#5.5.2 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSFMqHAAoJEJUhvtyr2U3fnPAP/iXX157U1C4RByO3OXy1ju/u p6px/Fsnyn7nj9dOLkFmEJw6hB6DYBI41KvyOzIn2MYsn2rbegq14RMZgofsLwJG BznEZXn9CH+8BVzbMi6NyoPPyq5eBLWBtRRTl41QmJk4q8szXIZYHB7U+oVs88eN WwUHHV3bjhHydBWoFsu3e4410zXYITqilo7jSFfTOch21CBPDbvFGoDX2gow8fJS 5cBWQIa2o0eRWIaGYnPPmxZ40sB1th1buk6axhw1kPIl/Gd/Q3sqJ0QPU+uy8vo2 fGUDXmRx3ISbsxT3o5cQrKSbyPZfxUiUONmV8FUCuYc14TNKHH9eZcwAeGg4A1mF pZSU3NlGPxcMG/aqH9KtXHnnjuWZ/h6INEuYVSvkCC0KChc7pLuE6lzU+ujBtbPq czod9V2wyPCbnnX/W+7e1u4LzmjazcDVdqgjbtVjEmay5AoV9OqJ0HLL8HOa6nqb qSrQOWJ6XUv4WM6QSZGxmSDKa9r8/Km0A/vbFoIhGfiYRIMjIUrmWRn+Ih7Bcgkz MZpCab/ttiMtcSkGf4QvnMHI5gqKX1ewP+eN1gRvo05jpFlq6Sjo7qa4g+DmZOFX eUDBn9aD4Efj1sOU+5dNZ1L7mrJuHWd0j1vspFamKmAYsG6KLCYm3btIZHl9/axj /x4Q+WOEqygMyg7WSYBR =GPwo -----END PGP SIGNATURE-----