[CentOS] PHP vulnerability CVE-2016-4073

Thu Sep 22 10:19:04 UTC 2016
Прокси <proxy-one at mail.ru>

On 2016-Sep-21 11:00, Alice Wonder wrote:
> I feel the same way but I find that it is generally safe and beneficial to
> update the LAMP stack on servers and the multimedia stack on the desktop.
> Things like HTTP/2 are not available in the Apache that ships even with
> CentOS 7 and the PHP is so outdated that it causes problems when using third
> party projects because the developers of those projects aren't using
> anything that old anymore. And for the TLS stack, mobile really benefits
> from chacha20 ciphers.
> With respect to multimedia, there's the fluendo codec pack but interestingly
> FireFox won't play mp3 with the fluendo codec pack, it wants the libmad
> plugin.
> And even more bizarre, maybe they have fixed it, but GStreamer 1.x in CentOS
> 7 when it shipped was not capable of decoding the VP9 codec used in WebM2.
> CentOS 7 came with tools to encode VP9 but the GStreamer was too crusty to
> decode it, and the commercial fluendo plugins were of no help there -
> replacing the GStreamer 1.x packages with a modern build was the only
> option.
> Stability is pointless when it doesn't serve the intended purpose.

Agree, but applications on my server work just fine with the old
version. In case I need feature available only in the new version, I'd
move to the new one.

There is another CVE I'm having problem with.

This one is still under investigation. I see Remi's comment in the
bugzilla that it isn't really a security issue, but it's the Approved
Scanning Vendors who should be convinced in that, and they mark it's PCI
status as "fail". Anyone have any idea how to mitigate this issue? Some