Verify PHP 5.3.27 has been patched for CVE-2013-4248

NOTjust — user4304 asked:

Server setup:

  • CentOS release 5.10 (Final)
  • WHM 11.40.0 (26)
  • EasyApache 3.22.24 rev9999 compiled apache 2.2.26 and PHP 5.3.27 w/ SuHosin 0.9.33

I already had PHP 5.3.27 installed (since before most of documents/patches for CVE-2013-4248 came out), so I’m not sure it’s downloading the patched version from anywhere if it thinks it already has the newest version locally. Looking at the logs, this is what I’m afraid of.

Also, apparently there are only peripheral PHP RPM packages installed, so running a command like: rpm -q --changelog php53
yields a “no package” message.

the command
php -v
just gives me the gross output of the version number along with ioncube, etc. versions.

Is there a local changelog file a can check that would have the info I want? I simply can’t find one with either the find command or by looking at the directories with core php files in them.

I am specifically looking for changes/patch(es) made toward fixing CVE-2013-4248.

Thank you,
I’ve spent several hours searching/reading on the web and still don’t have an answer specific to my flavor of Linux/etc.

My answer:

You’re using upstream PHP directly, rather than Red Hat’s packages. While Red Hat has backported the security fix to their own PHP packages, PHP themselves have not released a security fix. PHP only patched this issue for 5.4 and 5.5, so you should either use Red Hat’s packages, or update to 5.4/5.5.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.