Hello everyone. I am an FC2 refugee that's been lurking for a while. I am finishing up a Centos 4.4 build and am going through looking at security issues. In running a nessus scan I am finding it complaining about the versions for php, php-ldap, php-mbstring and php-pear. The complaint indicates that a much newer version of this exists and specifically names php-5.0.4-4.centos4 (by way of example). In researching this I am finding that this is not deemed to be part of the upgrade path for the default version in 4.4. I am also finding numerous issues with this "recommended" version breaking things right and left. I've searched the forums and the web so I decided to post here.
Has anyone replaced the stock php (and related items) build and been perfectly happy with the results? Any reason why this "newer" version of php is not part of the natural upgrade path? Any writeups by anyone that has walked this path already?
Thanks in advance!
Eucke wrote:
Hello everyone. I am an FC2 refugee that's been lurking for a while. I am finishing up a Centos 4.4 build and am going through looking at security issues. In running a nessus scan I am finding it complaining about the versions for php, php-ldap, php-mbstring and php-pear.
can you demonstrate working examples of these exploits on a fully updated CentOS machine ?
can you demonstrate working examples of these exploits on a fully updated CentOS machine ?
This is not a vulnerability that I have discovered but one that the nessus security analysis program identified and is documents with the following RHN php security update: RHSA-2005-831. Nessus is recommending moving to 5.0.4. Could this be something that has been fixed already within the 4.3.X php versions within Centos and nessus is misreading this as an issue having not been compiled specifically for Centos but RHES4?
If it is an existing issue I would like to figure out how to address it without issues...if it's not an issue then I intend to just move on. I tried searching the Centos bug tracker but had no luck there.
Eucke wrote:
can you demonstrate working examples of these exploits on a fully updated CentOS machine ?
This is not a vulnerability that I have discovered but one that the nessus security analysis program identified and is documents with the following RHN php security update: RHSA-2005-831. Nessus is recommending moving to 5.0.4. Could this be something that has been fixed already within the 4.3.X php versions within Centos and nessus is misreading this as an issue having not been compiled specifically for Centos but RHES4?
If it is an existing issue I would like to figure out how to address it without issues...if it's not an issue then I intend to just move on. I tried searching the Centos bug tracker but had no luck there.
Did nessus also tell you that some vendors backport some patches so that if they only look at the package name, they can't really know if the vuln is fixed or not.
The current version of PHP for centos3 is php-4.3.2-33.ent, which is a lot newer than the 4.3.2-26 that they mention in the advisory. So if 4.3.2-26 has the fix, it is more than highly likely that php-4.3.2-33.ent has it.
Regards,
Ugo
On Wed, Sep 20, 2006 at 10:09:21AM -0700, Eucke enlightened us:
can you demonstrate working examples of these exploits on a fully updated CentOS machine ?
This is not a vulnerability that I have discovered but one that the nessus security analysis program identified and is documents with the following RHN php security update: RHSA-2005-831. Nessus is recommending moving to 5.0.4. Could this be something that has been fixed already within the 4.3.X php versions within Centos and nessus is misreading this as an issue having not been compiled specifically for Centos but RHES4?
If it is an existing issue I would like to figure out how to address it without issues...if it's not an issue then I intend to just move on. I tried searching the Centos bug tracker but had no luck there.
You have two questions.
First: Nessus reports probably vulnerabilities, often based on version numbers. This is inaccurate on RHEL-based systems. Read http://www.redhat.com/advice/speaks_backport.html for the reasons why.
Second: RHEL 4, and therefore CentOS 4, will (most likely) never have a version of php newer than 4.3.9-something. The something will change as security issues are fixed and backported (you did read the link above, right?). The idea of RHEL is to provide a stable, fairly static environment, which is patched for security holes and some features.
That said, CentOS provides the opportunity to update some of those features through the CentOS-Plus repository. Read http://mirror.centos.org/centos/4/centosplus/Readme.txt for more details.
So, just because nessus says it's broken doesn't mean it is.
Matt
-
Eucke -
Karanbir Singh -
Matt Hyclak -
Ugo Bellavance