New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 5.9
SynopsisThe remote Fedora host is missing a security update.
DescriptionNotice: to fix CVE-2014-0185 this version change default php-fpm unix domain socket permission to 660 (instead of 666). Check your configuration if php-fpm use UDS (default configuration use a network socket).
Upstream Changelog: 01 May 2014, PHP 5.5.12 Core :
- Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
- Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets). (Mike)
- Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
- Fixed bug #66736 (fpassthru broken). (Mike)
- Fixed bug #67024 (getimagesize should recognize BMP files with negative height). (Gabor Buella)
- Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
- Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent). (Freek Lijten)
- Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied). (Boro Sitnikovski)
- Fixed bug #65715 (php5embed.lib isn't provided anymore).
- Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian). (Remi)
- Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
- Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185) (christian at hoffie dot info)
- Fixed issue with null bytes in LDAP bindings. (Matthew Daley)
- Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping). (Andrey)
- Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
- Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma)
- Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
- Fixed bug #66967 (Updated bundled libsqlite to 188.8.131.52).
- Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with 'file://'). (Anatol)
Apache2 Handler SAPI :
- Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120 ). (Jeff Trawick)
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected php package.