PHP 5.3.10 Released [Case 57077, Case 57160]

[java_dude]

The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix.

Security Fixes in PHP 5.3.10:

• Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

All users are strongly encouraged to upgrade to PHP 5.3.10.

Great, PHP patches 5.3.8 and opens up an even worse security hole in 5.3.9!

[accretor]

This a critical security fix for PHP. Any idea how long before we'll see it available for an EasyApache build? My server is vulnerable until then.

[cPanelDavidG]

We're already aware of this and working on it.

[getUP]

Is it too early to ask for an ETA?

[aww]

Use suhosin as a workaround.

[cPanelDavidG]

Is it too early to ask for an ETA?

I don't have a firm ETA, but I am reasonably confident to say "soon" is a good phrase to use here.

[Kise S.]

Use suhosin as a workaround.

does suhosin do it by default or you have to do something to prevent this bug from happening?

[accretor]

Considering it's late Friday and no word, I am guessing we cannot expect this until Monday at the earliest.

I don't feel this is acceptable for a critical security flaw that allows arbitrary code execution on my server.

I have never used Suhosin, don't understand really how it would help in this case, and, as a customer, object to the notion of reconfiguring my server to that extent because cPanel is slow to make the 5.3.10 fix available.

[InterServed]

From my understanding this issue also affects version 5.2.17

[Kise S.]

Suhosin do block the hash collisions bug in 5.3.8 but i'm not so sure that it block the new bug, that's why im asking, to make sure, since EasyApache as of this time post still does not offer 5.3.10

[nibb]

Im not sure either why its taking cPanel so much time to fix this, as you can release a patch rather quickly. Even if its breaks something temporary at least you can then take time to properly test that, because between broken and hacked the last time is worst.

I know DirectAdmin already released a patch yesterday, just a few hours after it was announced. If cPanel really patches this only by Monday it will be a disaster.

Usually they fix critical security issues very fast.

[accretor]

I know DirectAdmin already released a patch yesterday, just a few hours after it was announced. If cPanel really patches this only by Monday it will be a disaster.

I think so too, but it's Saturday morning (PST) and still no update, no further comment.

Don't want to be a jerk, but I'm prepared to work on this on a Saturday, so I'm expecting the same from cPanel -- We're talking about an arbitrary code execution here.

[nibb]

I think so too, but it's Saturday morning (PST) and still no update, no further comment.

Don't want to be a jerk, but I'm prepared to work on this on a Saturday, so I'm expecting the same from cPanel -- We're talking about an arbitrary code execution here.

I don´t think so. Probably on Monday, or Tuesday.

I suppose Chinese hackers will have a nice weekend hacking servers.

This of course will be very bad press for cPanel if thousands of servers happen to appear hacked next week, I guess media is going to be blame this on the late patching of cPanel, because 1 day is ok, but not 4 days or 5 days.

[PlotHost]

It will be available in few days. We just should wait a little.

[aww]

does suhosin do it by default or you have to do something to prevent this bug from happening?

Suhosin's default is higher than php's so you have to set it lower.

If you set it lower than php's default of 1000, then the php bug cannot happen (in theory) because the last variable will never make it to php.

example PHP.ini settings (untested, unproven, just examples and ymmv)

Code:

extension="suhosin.so"
suhosin.memory_limit = 256M
suhosin.filter.action = 402
suhosin.cookie.max_array_depth = 64
suhosin.cookie.max_array_index_length = 256
suhosin.cookie.max_name_length = 256
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 4096
suhosin.cookie.max_vars = 256
suhosin.get.max_array_depth = 64
suhosin.get.max_array_index_length = 256
suhosin.get.max_name_length = 256
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 4096
suhosin.get.max_vars = 256
suhosin.post.max_array_depth = 64
suhosin.post.max_array_index_length = 256
suhosin.post.max_name_length = 256
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 524288
suhosin.post.max_vars = 512
suhosin.request.max_array_depth = 64
suhosin.request.max_array_index_length = 256
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 524288
suhosin.request.max_vars = 512
suhosin.request.max_varname_length = 256

Some of the above are already set higher than the defaults for suhosin and php
http://www.hardened-php.net/suhosin/configuration.html

You may need to set them higher if you are running some poorly designed software - but whatever you do, never set it to 1000 or higher, unless your PHP max_input_vars is also higher (always set it less)

PHP: Runtime Configuration - Manual