Author Topic: PHP Version Selector / Vulnerabilities ?  (Read 10743 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
PHP Version Selector / Vulnerabilities ?
« on: May 10, 2016, 02:05:54 PM »
Well when I installed CWP in February I ended up with PHP 5.4.45 for now.

I am planning to upgrade to at least 5.6, because only 5.5 / 5.6 / 7.0 are supported by the PHP developers nowadays it seems.

However the PHP Version switcher offers only 5.6.14 in the drop down.

Is that the real version to be installed? I'd be very afraid to install that, because it has a known vulnerability in the gd library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
Which has been fixed in PHP 5.6.21: http://php.net/ChangeLog-5.php#5.6.21

Also with what version would I end up with the 7.x selector, because there is this _additionally_ to the problem above:
http://seclists.org/fulldisclosure/2016/May/0
Which has been fixed in PHP 7.0.6: http://php.net/ChangeLog-7.php#7.0.6

Offline
*****
Re: PHP Version Selector / Vulnerabilities ?
« Reply #1 on: May 10, 2016, 05:19:53 PM »
this will install 5.6.14

Offline
*
Re: PHP Version Selector / Vulnerabilities ?
« Reply #2 on: May 22, 2016, 06:16:14 PM »
So what's the solution to these severe security issues in those PHP versions offered in the PHP Version Selector?

Are we supposed to compile and install custom PHP versions on CWP?
If so, are there any existing scripts / guides?

I'd have expected a CWP update including a notice that reminds people to update their PHP, since this probably won't happen on it's own.
But I understand you guys are busy and CWP is free and we cannot simply request such things :-(

But these security issues in i.e. the 5.6.14 version offered are really havoc for those that have image/file uploads enabled for users they can't trust (i.e. public image/file uploads).

I am not sure if the 7.x version in the selector is affected, since I am not sure what will be installed there.

Offline
*****
Re: PHP Version Selector / Vulnerabilities ?
« Reply #3 on: May 22, 2016, 06:51:53 PM »
you can install any version by recompiling it
« Last Edit: May 23, 2016, 07:48:13 AM by Sandeep »