Re: PHP vulnerability CVE-2016-4073

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 



On 09/21/2016 05:43 AM, Прокси wrote:

On 2016-Sep-21 14:35, Adrian Sevcenco wrote:

On 09/21/2016 02:02 PM, Прокси wrote:

Hello,

My server with CentOS 6.8 just failed PCI scan, so I'm looking into
vulnerable packages. PHP 5.3.3 have multiple vulnerabilities, some of
them are fixed/patched or have some kind of workaround. But I can't find
a way to fix this one. Red Hat state: under investigation.

https://access.redhat.com/security/cve/cve-2016-4073

This CVE is 6 months old, and it doesn't look like it will be fixed.
Does anyone knows the way to go around this? Except blocking mb_strcut()
function.

you could try the unsupported php from remi repos... you can find there php 7.0 ..


I use CentOS because I need stable and patched packages, so I can be
sure that all applications work without unpleasant surprises. Going to
unsupported packages would be my last option.
I feel the same way but I find that it is generally safe and beneficial to update the LAMP stack on servers and the multimedia stack on the desktop.
Things like HTTP/2 are not available in the Apache that ships even with CentOS 7 and the PHP is so outdated that it causes problems when using third party projects because the developers of those projects aren't using anything that old anymore. And for the TLS stack, mobile really benefits from chacha20 ciphers.
With respect to multimedia, there's the fluendo codec pack but interestingly FireFox won't play mp3 with the fluendo codec pack, it wants the libmad plugin.
And even more bizarre, maybe they have fixed it, but GStreamer 1.x in CentOS 7 when it shipped was not capable of decoding the VP9 codec used in WebM2. CentOS 7 came with tools to encode VP9 but the GStreamer was too crusty to decode it, and the commercial fluendo plugins were of no help there - replacing the GStreamer 1.x packages with a modern build was the only option. 

Stability is pointless when it doesn't serve the intended purpose.

PHP even in CentOS 7 should be updated for a production server.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux