SECURITY ISSUE: GD (php image library)

qwerty

Well-Known Member
Jan 21, 2003
215
2
168
cpanel's easyapache scripts still bundles GD 2.0.28 and as reported over the past few days and weeks there are several exploits for all versions of GD < 2.0.35 some incl. REMOTE ARBITRARY CODE EXECUTION.

Can cpanel PLEASE update the included GD library to at least 2.0.35 as it's currently sitting on 2.0.28
 

deanstev

Well-Known Member
Jun 10, 2004
110
0
166
I'm running 5.2.0 and its using the old GD also...

Where did the post go from before???
 

ChadE

Active Member
Mar 14, 2005
32
0
156
I'm running PHP 5.2.3 (Serious improvement over 5.2.0 - much faster) and I have GD 2.0.35 according to phpinfo. I believe a newer version of GD was bundled in/after 5.2.1. 5.2.3 and 5.2.4RC1 both feature GD updates/enhancements to the GD system.
 

deanstev

Well-Known Member
Jun 10, 2004
110
0
166
I've just gone to recompile with 5.2.3, and this is what it says:

GD (Version 2.0.15)

WTF?
 

DReade83

Well-Known Member
Oct 20, 2006
196
0
166
Cheshire, UK
This is crazy. We're the customers here and shouldn't have to be asking the developers to upgrade the software at our request due to security issues...

Obviously security isn't a great concern to cPanel as I have rarely seen priorities given to security updates previously. I mean, look how long it took for PHP 5.2.2 and 5.2.3 to hit the Apache Update page. Both versions hit the page at the same time which is pretty pointless in my opinion and, in addition, both hit the page weeks after release.

So, the question is how long will it take to get the GD Library updated? Anyone like to have a guess?
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
easyapache 1.5 no longer installs gd. It uses the one the is bundled with php. The version is just a display artifact left over in the system (which will be going away once easyapache 3 is relased).