-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

SUMMARY

The PHP development team has announced the immediate availability of PHP 5.5.2.  This release contains approximately 20 bug fixes, including a security issue in the OpenSSL module (CVE-2013-4248) and a session fixation problem (CVE-2011-4718).  All users of PHP are encouraged to upgrade to this release.  cPanel has released EasyApache 3.22.6 with PHP 5.5.2 to address this issue.

AFFECTED VERSIONS

All versions of PHP5 before 5.5.2

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings of these CVEs:

CVE-2011-4718 - MEDIUM
CVE-2013-4248 - MEDIUM

PHP 5.5.2

CVE-2011-4718:  A session fixation vulnerability in the Sessions subsystem in PHP, before 5.5.2, allows remote attackers to hijack web sessions by specifying a session ID.

CVE-2013-4248:  The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x (before 5.5.2) does not properly handle a null character in a domain name in the Subject Alternative Name field of an X.509 certificate.  This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificated issued by a legitimate Certification Authority.  This issue is related to CVE-2009-2408.

SOLUTION

cPanel, Inc. has released EasyApache 3.22.6 with an updated version of PHP5.5 to correct these issues.  Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4248
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718
http://www.php.net/ChangeLog-5.php#5.5.2
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSFMqHAAoJEJUhvtyr2U3fnPAP/iXX157U1C4RByO3OXy1ju/u
p6px/Fsnyn7nj9dOLkFmEJw6hB6DYBI41KvyOzIn2MYsn2rbegq14RMZgofsLwJG
BznEZXn9CH+8BVzbMi6NyoPPyq5eBLWBtRRTl41QmJk4q8szXIZYHB7U+oVs88eN
WwUHHV3bjhHydBWoFsu3e4410zXYITqilo7jSFfTOch21CBPDbvFGoDX2gow8fJS
5cBWQIa2o0eRWIaGYnPPmxZ40sB1th1buk6axhw1kPIl/Gd/Q3sqJ0QPU+uy8vo2
fGUDXmRx3ISbsxT3o5cQrKSbyPZfxUiUONmV8FUCuYc14TNKHH9eZcwAeGg4A1mF
pZSU3NlGPxcMG/aqH9KtXHnnjuWZ/h6INEuYVSvkCC0KChc7pLuE6lzU+ujBtbPq
czod9V2wyPCbnnX/W+7e1u4LzmjazcDVdqgjbtVjEmay5AoV9OqJ0HLL8HOa6nqb
qSrQOWJ6XUv4WM6QSZGxmSDKa9r8/Km0A/vbFoIhGfiYRIMjIUrmWRn+Ih7Bcgkz
MZpCab/ttiMtcSkGf4QvnMHI5gqKX1ewP+eN1gRvo05jpFlq6Sjo7qa4g+DmZOFX
eUDBn9aD4Efj1sOU+5dNZ1L7mrJuHWd0j1vspFamKmAYsG6KLCYm3btIZHl9/axj
/x4Q+WOEqygMyg7WSYBR
=GPwo
-----END PGP SIGNATURE-----