2

We are using PHP 5.6.33 with CentOS in production environment. We found that PHP is having following vulnerability CVE-2018-7584. On the official page it is showing following :

In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.

References : https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2017-7679 https://www.exploit-db.com/exploits/44846/

It seems PHP 7.2 is also having same vulnerability. Is there any solution or workaround for this ?

Mohit Shah
  • 124
  • 7
  • 1
    here is the patch https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bba – Bilal Ahmed Oct 10 '18 at 07:30
  • @BilalAhmed : Thanks for the answer. But my concern is, Should we change this directly to PHP source file ? What is the path for PHP source files in linux. – Mohit Shah Oct 10 '18 at 07:47

1 Answers1

2

Is there any solution or workaround for this ?

Short-term solution: sudo yum --security upgrade

Long-term solution: Automatic security upgrades so you don't give yourself alert fatigue.

If CentOS proper isn't giving you the latest security patches for PHP (like they're supposed to be doing), use Remi's repository instead, which provides 5.6.38 as of this writing.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206