[CentOS] PHP vulnerability CVE-2016-4073

Sat Sep 24 16:54:14 UTC 2016
Alice Wonder <alice at domblogger.net>

On 09/24/2016 07:40 AM, Lamar Owen wrote:
> On 09/23/2016 04:42 AM, James Hogarth wrote:
>> Of course this is where Red Hat intends SCL to fill the gap of the
>> "supported" new httpd24 and php56 on RHEL ...
>> https://www.hogarthuk.com/?q=node/15
>> Unfortunately this is having a knock on effect in the EPEL world
>> where, since Fedora has no SCL packaging guidelines and RHSCL is not
>> included in repos EPEL can get built against, we can't package any
>> applications there that need the newer functionality from RHSCL ...
> James, let me start out by saying that I greatly appreciate your work in
> and with EPEL.  It is fantastic.  And even in the context of what I
> write below I am a mostly satisfied user of EPEL7; there are just a few
> rough edges (and core policies) that are becoming increasingly annoying.
> What I am about to suggest is likely to be rather controversial.  If the
> upstream RHSCL cannot be used, then why can't EPEL be built against
> CentOS and then use the CentOS SCL to fix this issue?

That's effectively what I do with https://librelamp.com/ and 

I started just building newer PHP versions, then moved to building them 
against LibreSSL and building newer versions of some of the other 
packages against LibreSSL.

Building against LibreSSL allowed me to have some of the OpenSSL 
features not in the CentOS OpenSSL packages without needing to package 
them in /opt or /usr/local - which was very useful for building the 
bitcoin client but also useful for the ChaCha20/Poly1305 ciphers that 
are of benefit to mobile users (provides forward secrecy with less 
resources than AES for mobile clients w/o AES hardware assistance)

With PHP it not only gave me access to newer versions of PHP but to the 
full set of modules readily available to Fedora users, and things like 
WebP support in ImageMagick.

With Apache, it allowed me to offer the latest w/ HTTP/2 support and do 
some tweaks like completely disable some of the dangerous ciphers in 
mod_ssl so that a default install gets an "A" grade from ssllabs even 
before tweaking. Defaults that weren't thought to be dangerous when the 
Fedora package that eventually became the RHEL package were created.

The obvious downsides, my packages aren't as well tested before pushed 
and I can't guarantee a security response in a timely manner, though I 
have been pretty good often beating the RHEL/CentOS packaging of a fix - 
but I can't guarantee that.

Just last month I was working on my VLC package for my media repository 
and I rebooted to see if I could get bluray to work, probably didn't 
need to reboot since nothing kernel was involved but a kernel update had 
come in, and the PC wouldn't boot - the error beeps indicated a 
corrupted bios (not from anything I did), trying to flash the bios 
didn't work, and I was stuck doing any and all package building on a 
Thinkpad T410 (I refuse to do package building on a linode VM for 
security reasons), just finally built a new workstation last weekend.

But point is, I can't recommend my packages to anyone where delays in 
updates or bugs from reduced packaging may result in financial loss.

But I definitely hear where you are coming from, and agree that in many 
cases updates to what is in RHEL/EPEL are very beneficial.

It also can be confusing, there's a sound card I want but it requires a 
3.17 kernel and I simply don't know if the drivers have been backported 
into RHEL/CentOS 3.10 or if they are available in elrepo - without the 
sound card physically installed I can't do an lspci to find out if the 
driver is available. It's tempting to try to create a kernel repo that 
has newer versions of the kernel but with RHEL specific patches and 
configurations applied, but I'm afraid there, the benefit wouldn't 
really be worth the work (e.g. USB sound cards work just fine, I just 
want inexpensive low profile PCI-E with optical out to reduce cable mess)

I think RHEL/CentOS is a great starting point for stability but I guess 
I'm saying I am definitely in favor of special use repositories for 
cases like the server stack or the multimedia stack where there are 
definite benefits to running newer versions.

And IMHO they should be special purpose repositories that require EPEL 
and are used only when that purpose is needed, rather than a general 
purpose single repository. Let EPEL be the general purpose add-on 

Sent my from my laptop, may not be able to respond timely