Latest Updates PHP 5.6.0, 5.5.16, 5.4.32, Nginx 1.6.1

Here are updated packages in the Yum repository:

The PHP 5.6.0 release is a new set of packages. See more at PHP 5.6 for RHEL/CentOS 6.5

The PHP 5.5.16 release fixes 5 CVEs (along with other bug fixes):
* CVE-2014-3538
* CVE-2014-3587
* CVE-2014-2497
* CVE-2014-5120
* CVE-2014-3597

The PHP 5.4.32 release fixes 7 CVEs (along with other bug fixes)
* CVE-2014-2497
* CVE-2014-3538
* CVE-2014-3587
* CVE-2014-3597
* CVE-2014-4670
* CVE-2014-4698
* CVE-2014-5120

The Nginx 1.6.1 release fixes 1 CVE (along with other bug fixes)
* CVE-2014-3556

Latest Updates, PHP 5.5.15, 5.4.31, 5.3.29 MySQL 5.5.39

Here are updated packages in the Yum repository:

The PHP 5.5.15 release fixes 1 CVE (along with other bug fixes):
* CVE-2014-4670

The PHP 5.3.29 release incorporates the security fixes that were included on the later PHP versions (some of which Webtatic had ported back beforehand). PHP.net misses some of these out from their Changelog:

* CVE-2013-6712
* CVE-2014-0185
* CVE-2014-0207
* CVE-2014-0237
* CVE-2014-0238
* CVE-2014-3478
* CVE-2014-3479
* CVE-2014-3515
* CVE-2014-3981
* CVE-2014-4049
* CVE-2014-3480
* CVE-2014-3487

Latest Updates, PHP 5.5.13, 5.4.29, and 5.3.28 updated with CVE fixes

Here are updated packages in the Yum repository:

All three PHP releases fix CVE-2014-0237 and CVE-2014-0238.

The PHP 5.5.13 and 5.4.29 releases contain an additional regression fix for a backwards compatibility breakage causing objects implementing the "Serializable" interface to fail to unserialize using an incorrect serialized string, which would have affected PHPUnit and Doctrine.

Latest Updates, PHP 5.3.28 updated with CVE-2014-0185 fix

Here are updated packages in the Yum repository:

As with the previous post, this PHP 5.3.28 release fixes CVE-2014-0185, which was causing PHP-fpm to create a world-writeable unix socket if unix sockets were used and the listen.mode configuration setting not changed. However, this fix, as it reduces the permissions of the unix socket, may cause some server setups that relied on this to fail. See the previous post for more information.

PHP.net hasn't yet released a security fix themselves for PHP 5.3.

Latest Updates, PHP 5.5.12, PHP 5.4.28, Xdebug 2.2.5

Here are updated packages in the Yum repository:

The PHP releases fix CVE-2014-0185, which was causing PHP-fpm to create a world-writeable unix socket if unix sockets were used and the listen.mode configuration setting not changed. However, this fix, as it reduces the permissions of the unix socket, may cause some server setups that relied on this to fail.

If it's not important that the unix socket is world-writable on the server (any linux user on the box can connect to the fastcgi server, and effectively run custom code as the php-fpm user, which isn't unlike using a loopback TCP port anyway), then you can re-enable this by adding to your php-fpm configuration:

listen.mode=0666

There are other, more secure ways of resolving this, which will prevent the potential security issue, such as changing the 'listen.owner' or 'listen.group' setting, which control the owner/group of the unix socket. For instance, if only Nginx was using php-fpm, you could do the following:

listen.owner = nginx
listen.group = nginx

That way, only nginx can talk to php-fpm.