Here are updated packages in the Yum repository:
The PHP releases fix 8 CVEs (along with other bug fixes):
* CVE-2014-0207
* CVE-2014-3478
* CVE-2014-3479
* CVE-2014-3480
* CVE-2014-3487
* CVE-2014-3515
* CVE-2014-3981
* CVE-2014-4049
The following packages are in testing, and available for download in the testing repositories:
Assuming you have the Webtatic repositories set up (see Yum Repository), you can update using:
yum update <package> --enablerepo=webtatic-testing
The following packages are in testing, and available for download in the testing repositories:
Assuming you have the Webtatic repositories set up (see Yum Repository), you can update using:
yum update <package> --enablerepo=webtatic-testing
The following packages are in testing, and available for download in the testing repositories:
Assuming you have the Webtatic repositories set up (see Yum Repository), you can update using:
yum update <package> --enablerepo=webtatic-testing
Here are updated packages in the Yum repository:
All three PHP releases fix CVE-2014-0237 and CVE-2014-0238.
The PHP 5.5.13 and 5.4.29 releases contain an additional regression fix for a backwards compatibility breakage causing objects implementing the "Serializable" interface to fail to unserialize using an incorrect serialized string, which would have affected PHPUnit and Doctrine.
The following packages are in testing, and available for download in the testing repositories:
Assuming you have the Webtatic repositories set up (see Yum Repository), you can update using:
yum update <package> --enablerepo=webtatic-testing
The following packages are in testing, and available for download in the testing repositories:
Assuming you have the Webtatic repositories set up (see Yum Repository), you can update using:
yum update <package> --enablerepo=webtatic-testing
The following packages are in testing, and available for download in the testing repositories:
Assuming you have the Webtatic repositories set up (see Yum Repository), you can update using:
yum update <package> --enablerepo=webtatic-testing
Here are updated packages in the Yum repository:
As with the previous post, this PHP 5.3.28 release fixes CVE-2014-0185, which was causing PHP-fpm to create a world-writeable unix socket if unix sockets were used and the listen.mode configuration setting not changed. However, this fix, as it reduces the permissions of the unix socket, may cause some server setups that relied on this to fail. See the previous post for more information.
PHP.net hasn't yet released a security fix themselves for PHP 5.3.
Here are updated packages in the Yum repository:
The PHP releases fix CVE-2014-0185, which was causing PHP-fpm to create a world-writeable unix socket if unix sockets were used and the listen.mode configuration setting not changed. However, this fix, as it reduces the permissions of the unix socket, may cause some server setups that relied on this to fail.
If it's not important that the unix socket is world-writable on the server (any linux user on the box can connect to the fastcgi server, and effectively run custom code as the php-fpm user, which isn't unlike using a loopback TCP port anyway), then you can re-enable this by adding to your php-fpm configuration:
listen.mode=0666
There are other, more secure ways of resolving this, which will prevent the potential security issue, such as changing the 'listen.owner' or 'listen.group' setting, which control the owner/group of the unix socket. For instance, if only Nginx was using php-fpm, you could do the following:
listen.owner = nginx
listen.group = nginx
That way, only nginx can talk to php-fpm.