php 5.2.17 security backports question

[Venomous21]

Hello,

I run the default apache (2.2.22) and php installation (5.2.17) and installed using easyapache through cpanel/WHM.

Secunia dot com released several security vulnerability notifications today that affect php 5.3x and 5.4x (and presumably 5.2x as well but I could be wrong).

Some of these vulnerabilities were reported today and others about a month ago. Have they already been backported to php 5.2.17 by the cpanel team when installed using easyapache? If not, will they? Or is the only choice to upgrade to the latest version of php 5.3x or 5.4x to be protected against these latest vulnerabilities?

We run many websites and unfortunately trying to get the web developers to update their code to work with php 5.3x and newer is a PITA. I'd still like to run php 5.2x but not if it's going to lead to the server getting rooted through arbitrary code execution vulnerabilities in php 5.2x.

Any info or tips are greatly appreciated.

Thank you!

secunia dot com/advisories/49731/ (cve's listed here)
secunia dot com/advisories/49014/ (cves listed here)

[nospa]

I think you are worried about PHP 5.4 Win32 Code Execution ≈ Packet Storm - this is only a problem on Windows servers, not CentOS/REDHAT as written on https://bugzilla.redhat.com/show_bug.cgi?id=823464

[d'argo]

I know this might seem like a dumb question, but does cpanel backport fixes from php 5.3 and 5.4 to 5.2? and if so is there a changelog somewhere that lists what cves have been addressed?

thanks in advance to anyone that knows, my boss is on us to prove we can still use php 5.2 safely

[nospa]

cpanel is leazy for backporing patches into 5.2, while it is safe and this could be done without any problems. we are thinking about compiling 5.2 by ourself to get all patches into 5.2, while we cannot move to 5.3 on many servers with existing customers.

shame on cpanel development team about this. 5.2. can be safely use with patches from php52-backports - Backported security patches for PHP 5.2.17 from other PHP versions - Google Project Hosting

[cPanelTristan]

The link you provide isn't from the provider of PHP itself but a separate google project to support a deprecated version when the company who provided PHP 5.2 originally isn't even supporting it any longer.

Please keep in mind that we provide PHP 4 and PHP 5.2 as a courtesy to our customers. If you wish to see us add the patches, then a feature request would be the way to go:

Feature Requests for cPanel/WHM

[nospa]

There is already thread on Feature Requests for cPanel/WHM about security patches to 5.2. But it is not even responded by cPanel dev team.