Fedora 19 : php-5.5.3-1.fc19 (2013-14998)

This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.


Synopsis :

The remote Fedora host is missing a security update.

Description :

Version 5.5.3, 22 Aug 2013

Openssl: + Fixed UMR in fix for CVE-2013-4248.

Version 5.5.2, 15-Aug-2013

Core :

- Fixed bug #65372 (Segfault in gc_zval_possible_root when
return reference fails).

- Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS
constant (previously was erroneously set to
FILTER_SANITIZE_SPECIAL_CHARS value).

- Fixed bug #65304 (Use of max int in array_sum).

- Fixed bug #65291 (get_defined_constants() causes PHP
to crash in a very limited case).

- Fixed bug #62691 (solaris sed has no -i switch).

- Fixed bug #61345 (CGI mode - make install don't work).

- Fixed bug #61268 (--enable-dtrace leads make to
clobber Zend/zend_dtrace.d).

DOM :

- Added flags option to DOMDocument::schemaValidate() and
DOMDocument::schemaValidateSource(). Added
LIBXML_SCHEMA_CREATE flag.

OPcache :

- Added opcache.restrict_api configuration directive that
may limit usage of OPcahce API functions only to
patricular script(s).

- Added support for glob symbols in blacklist entries
(?, *, **).

- Fixed bug #65338 (Enabling both php_opcache and
php_wincache AVs on shutdown).

Openssl :

- Fixed handling null bytes in subjectAltName
(CVE-2013-4248).

PDO_mysql :

- Fixed bug #65299 (pdo mysql parsing errors).

Phar :

- Fixed bug #65028 (Phar::buildFromDirectory creates
corrupt archives for some specific contents).

Pgsql :

- Fixed bug #62978 (Disallow possible SQL injections with
pg_select()/pg_update() /pg_delete()/pg_insert()).

- Fixed bug #65336 (pg_escape_literal/identifier()
silently returns false).

Sessions :

- Implemented strict sessions RFC
(https://wiki.php.net/rfc/strict_sessions) which
protects against session fixation attacks and session
collisions (CVE-2011-4718).

- Fixed possible buffer overflow under Windows. Note:
Not a security fix.

- Changed session.auto_start to PHP_INI_PERDIR.

SOAP :

- Fixed bug #65018 (SoapHeader problems with SoapServer).

SPL :

- Fixed bug #65328 (Segfault when getting SplStack object
Value).

- Added RecursiveTreeIterator setPostfix and getPostifx
methods.

- Fixed bug #61697 (spl_autoload_functions returns
lambda functions incorrectly).

Streams :

- Fixed bug #65268 (select() implementation uses outdated
tick API).

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=996774
https://bugzilla.redhat.com/show_bug.cgi?id=997097
http://www.nessus.org/u?cad3df9a
https://wiki.php.net/rfc/strict_sessions

Solution :

Update the affected php package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Fedora Local Security Checks

Nessus Plugin ID: 69462 ()

Bugtraq ID: 61776
61929

CVE ID: CVE-2011-4718
CVE-2013-4248

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now