On 28/04/18 04:19, Jon Brinkmann wrote:
> See https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-046/
> 
> This is the second warning in as many months.  The current version of PHP
> distributed with SL 7.4 is "PHP 5.4.16 (cli) (built: Mar  7 2018 12:48:25)"
> which is vulnerable.  Are there plans to distribute version 5.6.36 or
> newer anytime soon?

The vast majority of SL packages are rebuilds of Red Hat Enterprise Linux
(RHEL) source packages.  So when Red Hat releases an updated, it pours down on
SL after a little while.

That means, it's better to check with Red Hat first ... The URL you pointed at
was a bit confusing, as it enlists a lot of fixes but only one CVE update.  It
is the CVE references which covers the severe security bugs.  And this is what
I could find from Red Hat's site:

 <https://access.redhat.com/security/cve/cve-2018-5712>

This is the only CVE here seems not to be that bad.  But there is another
potentially bad issue (fixed in the 5.6.36 release), the "Heap Buffer Overflow
(READ: 1786) in exif_iif_add_value" [0].  Buffer overflows can more often be
abused to execute arbitrary code, but this has not yet received a CVE
reference.  So I'd expect this to get more attention by Red Hat once a CVE is
assigned.

RHEL customers with a support contract may try to request more details on how
this is being handled further.  RHEL customers with a support contract may try
to request more details on how this is being handled further.

But do consider that v5.6.36 was released on Thursday this week (2 days ago).
It will take a bit longer for updates and patches to pass through the release
machinery at Red Hat.  And then SL will get some source RPMs it can rebuild
and distribute.

And all this said; I would not expect to see a PHP version update (to v5.6.36)
in RHEL.  It is more likely that the security fix is backported to the PHP
baseline version in RHEL.


[0] <https://bugs.php.net/bug.php?id=76130>


--
kind regards,

David Sommerseth