upgrade PHP from 5.3.10 to 5.4

Asked by Christopher Adams on 2012-05-09

I have php53u (5.3.10) installed on a CentOS 5.8 machine. A recent security alert indicated that any versions below 5.3.13 are vulnerable. I found 5.4 on the following site:

http://dl.iuscommunity.org/pub/ius/stable/Redhat/5/x86_64/repoview/

Can I just install/upgrade over the 5.3.10 version, or should I be following a different process?

Thank you.

Question information

Language:
English Edit question
Status:
Answered
For:
IUS Community Project Edit question
Assignee:
No assignee Edit question
Last query:
2012-05-09
Last reply:
2012-05-09
Jeffrey Ness (jeffrey-ness) said : #1

Hello Christopher,

Thank you for taking the time to post this question on the IUS answer board.

I believe you are referring to the CVE vulnerability listed below:

   http://www.php.net/archive/2012.php#id2012-05-03-1
   http://www.php.net/archive/2012.php#id2012-05-06-1
   http://www.php.net/archive/2012.php#id2012-05-08-1

As mentioned on these PHP archives "mod_php and php-fpm are not vulnerable to this attack.",
so if you are using these methods you will be safe.

IUS does have php53u-5.3.13 packages available in testing (pushed last night):

  http://dl.iuscommunity.org/pub/ius/testing/Redhat/5/x86_64/repoview/php53u.html

If you are not using one of the methods above, and are at risk I would suggest using these testing packages.

As for moving to php54, these packages are also at risk (the latest packages are also in testing).

Hopefully this helps you out, if not let me know.

Jeffrey-

Can you help with this problem?

Provide an answer of your own, or ask Christopher Adams for more information if necessary.

To post a message you must log in.