[CentOS] New 4.4 install PHP security concern

Wed Sep 20 17:46:04 UTC 2006
Matt Hyclak <hyclak at math.ohiou.edu>

On Wed, Sep 20, 2006 at 10:09:21AM -0700, Eucke enlightened us:
> >can you demonstrate working examples of these exploits on a fully 
> >updated CentOS machine ?
> >
> This is not a vulnerability that I have discovered but one that the 
> nessus security analysis program identified and is documents with the 
> following RHN php security update: RHSA-2005-831.  Nessus is 
> recommending moving to 5.0.4.  Could this be something that has been 
> fixed already within the 4.3.X php versions within Centos and nessus is 
> misreading this as an issue having not been compiled specifically for 
> Centos but RHES4?
> If it is an existing issue I would like to figure out how to address it 
> without issues...if it's not an issue then I intend to just move on.  I 
> tried searching the Centos bug tracker but had no luck there.

You have two questions. 

First: Nessus reports probably vulnerabilities, often based on version
numbers. This is inaccurate on RHEL-based systems. Read
http://www.redhat.com/advice/speaks_backport.html for the reasons why.

Second: RHEL 4, and therefore CentOS 4, will (most likely) never have a
version of php newer than 4.3.9-something. The something will change as
security issues are fixed and backported (you did read the link above,
right?). The idea of RHEL is to provide a stable, fairly static environment,
which is patched for security holes and some features. 

That said, CentOS provides the opportunity to update some of those features
through the CentOS-Plus repository. Read
http://mirror.centos.org/centos/4/centosplus/Readme.txt for more details.

So, just because nessus says it's broken doesn't mean it is.


Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263