[CentOS] PHP vulnerability CVE-2016-4073

Wed Sep 21 18:00:04 UTC 2016
Alice Wonder <alice at domblogger.net>

On 09/21/2016 05:43 AM, Прокси wrote:
> On 2016-Sep-21 14:35, Adrian Sevcenco wrote:
>> On 09/21/2016 02:02 PM, Прокси wrote:
>>> Hello,
>>> My server with CentOS 6.8 just failed PCI scan, so I'm looking into
>>> vulnerable packages. PHP 5.3.3 have multiple vulnerabilities, some of
>>> them are fixed/patched or have some kind of workaround. But I can't find
>>> a way to fix this one. Red Hat state: under investigation.
>>> https://access.redhat.com/security/cve/cve-2016-4073
>>> This CVE is 6 months old, and it doesn't look like it will be fixed.
>>> Does anyone knows the way to go around this? Except blocking mb_strcut()
>>> function.
>> you could try the unsupported php from remi repos... you can find there php 7.0 ..
> I use CentOS because I need stable and patched packages, so I can be
> sure that all applications work without unpleasant surprises. Going to
> unsupported packages would be my last option.

I feel the same way but I find that it is generally safe and beneficial 
to update the LAMP stack on servers and the multimedia stack on the desktop.

Things like HTTP/2 are not available in the Apache that ships even with 
CentOS 7 and the PHP is so outdated that it causes problems when using 
third party projects because the developers of those projects aren't 
using anything that old anymore. And for the TLS stack, mobile really 
benefits from chacha20 ciphers.

With respect to multimedia, there's the fluendo codec pack but 
interestingly FireFox won't play mp3 with the fluendo codec pack, it 
wants the libmad plugin.

And even more bizarre, maybe they have fixed it, but GStreamer 1.x in 
CentOS 7 when it shipped was not capable of decoding the VP9 codec used 
in WebM2. CentOS 7 came with tools to encode VP9 but the GStreamer was 
too crusty to decode it, and the commercial fluendo plugins were of no 
help there - replacing the GStreamer 1.x packages with a modern build 
was the only option.

Stability is pointless when it doesn't serve the intended purpose.

PHP even in CentOS 7 should be updated for a production server.