PHP 5.3.6 released - Fixes 5 security flaws

Filed Under: Vulnerability

PHP logoYesterday the PHP Group announced the release of PHP version 5.3.6. This new version of PHP fixes five security flaws in addition to providing some new features that can enhance the security of your web server and PHP applications.

Two of the five bugs fixed are rated high severity by the National Vulnerability Database; the others have not been analyzed at this time.

The first is a vulnerability in the phar extension that can cause a denial of service condition as well as possibly allow remote code execution. Phar is the PHP equivalent of the JAR Java archive format. It does not appear to be used widely for popular PHP applications.

Another vulnerability that was fixed is in the shared memory read functionality. If exploited it could also cause a denial of service condition and possibly allow the reading of sensitive areas of system memory.

Other security fixes addressed problems with the reading of EXIF data, ZIP archive handling and high values for precision INI settings. One security enhancement now enforces security settings related to the use of the FastCGI module that is often used to help accelerate PHP web applications.

If you use PHP to drive your website, update your PHP at your earliest convenience. For Linux administrators this package should be available RSN (Real Soon Now) from your distributions' update repositories. Administrators of Windows systems and other platforms should download the latest version from http://www.php.net.

For more advice on keeping your websites secure, download our technical paper "Securing websites" from the Sophos Security Hub.

, ,

You might like

One Response to PHP 5.3.6 released - Fixes 5 security flaws

  1. Thanks for the heads up. I rely heavily on PHP!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.